Snort mailing list archives

RE: Snort rule triggered an alert, but why?

From: C.Prickaerts () UB unimaas nl
Date: Thu, 5 Dec 2002 17:32:25 +0100

Hi Chris,

But what was the attack ?
The rule says it looks at repeated 43 content. But I failed to spot them in
the dumplog.

Cheers,

Chris 
:)

-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com] 
Sent: donderdag 5 december 2002 17:27
To: C.Prickaerts () UB unimaas nl
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort rule triggered an alert, but why?


C.Prickaerts () UB unimaas nl writes:

Hi group,

I'm doing some Snort analysis and found a packet that triggered a 
rule, but can't find out why:


This looks like a bug with double alerting after a successful attack which
was fixed in 1.9 CVS a bit ago.  Soon, 1.9.1 should be coming out but feel
free to upgrade to the head of the SNORT_1_9 branch.

Cheers,
Chris


The rule:

alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS 
(msg:"SHELLCODE x86 inc ebx NOOP"; content:"|43 43 43 43 43 43 43 43 
43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43|"; 
classtype:shellcode-detect; sid:1390; rev:3;)

The Alert:

[**] SHELLCODE x86 inc ebx NOOP [**]
12/05-09:12:11.101861 attacker:80 -> myhost:29090 TCP TTL:51 TOS:0x0 
ID:62013 IpLen:20 DgmLen:1491 DF
***AP*** Seq: 0x370C8E71  Ack: 0x171E3  Win: 0x422E  TcpLen: 20 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+

The Packet

09:12:11.101861 attacker.80 > myhost.29090: P 81915:83366(1451) ack 
4487 win 16942 (DF) (ttl 51, id 62013, len 1491)
0x0000   4500 05d3 f23d 4000 3306 f981 cf2e 1c64        E....=@.3......d
0x0010   8978 e15a 0050 71a2 370c 8e71 0001 71e3        .x.Z.Pq.7..q..q.
0x0020   5018 422e 5efd 0000 4854 5450 2f31 2e31        P.B.^...HTTP/1.1
0x0030   2032 3030 204f 4b0d 0a53 6572 7665 723a        .200.OK..Server:
0x0040   204d 6963 726f 736f 6674 2d49 4953 2f35        .Microsoft-IIS/5
0x0050   2e30                                           .0

And few minutes later:

[**] SHELLCODE x86 inc ebx NOOP [**]
12/05-09:17:00.251861 attacker:80 -> myhost:29185 TCP TTL:51 TOS:0x0 
ID:17396 IpLen:20 DgmLen:1491 DF
***AP*** Seq: 0x6F3476D4  Ack: 0x5F67A  Win: 0x41E0  TcpLen: 20 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+

The packet

09:17:00.251861 attacker.80 > myhost.29185: p 1:1452(1451) ack 657 win 
16864
(df) (ttl 51, id 17396, len 1491)
0x0000   4500 05d3 43f4 4000 3306 a7cb cf2e 1c64        e...c.@.3......d
0x0010   8978 e15a 0050 7201 6f34 76d4 0005 f67a        .x.z.pr.o4v....z
0x0020   5018 41e0 b7c1 0000 4854 5450 2f31 2e31        p.a.....http/1.1
0x0030   2032 3030 204f 4b0d 0a53 6572 7665 723a        .200.ok..server:
0x0040   204d 6963 726f 736f 6674 2d49 4953 2f35        .microsoft-iis/5
0x0050   2e30                                           .0

This traffic is part of ongoing HTTP traffic. Only thing I can see is 
that the packets look very similar. Question is, why did snort call 
the Alert? What am I overlooking?

Greets,

Chris


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort rule triggered an alert, but why? C . Prickaerts (Dec 05)
- Re: Snort rule triggered an alert, but why? Chris Green (Dec 05)
- <Possible follow-ups>
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 05)
  - Re: Snort rule triggered an alert, but why? Chris Green (Dec 05)
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 06)
- RE: Snort rule triggered an alert, but why? C . Prickaerts (Dec 08)