Re: WEB-IIS view source via translate header false alarms

[James Nonya <slave_tothe_box () yahoo com>]

On Wed, 14 Jan 2004 12:14:22 -0600
"Bradberry, John" <BradberryJ () aafes com> wrote:

> Hello:
>
> Our team is running snort 2.0.6 with sid 1042
enabled.  Note that the
> rule explicitly looks at ***TCP*** traffic to ports
80 and 8080:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-IIS
> view source via translate header";
flow:to_server,established; content:
> "Translate|3a| F"; nocase;
classtype:web-application-activity; sid:1042;
> rev:6;)
>
> We're observing ***UDP*** traffic triggering alarms
on sid 1042!  The
> protocol, destination port, and content do not match
the signature:
> Jan 14 10:26:20 <4.1> snort: [1:1042:6] WEB-IIS view
source via
> translate header [Classification: access to a
potentially vulnerable web
> application] [Priority: 2]: <fec0> {UDP} src_IP:68
-> dst_IP:67
> Has anyone else observed this condition?
>
> John Bradberry
> The Greentree Group

John,

I've seen the same type of thing at home...here's a
sample:

Jan 13 18:36:49 homebox kernel: New,invalid
UDP-ICMP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=193.126.36.217 DST=24.116.255.102 LEN=404 TOS=0x00
PREC=0x00 TTL=110 ID=34580 PROTO=UDP SPT=1131 DPT=1434
LEN=384 

Jan 13 18:36:49 homebox snort: [1:2003:2] MS-SQL Worm
propagation attempt [Classification: Misc Attack]
[Priority: 2]: {UDP} 193.126.36.217:1131 ->
24.116.255.102:1434


Jan 13 18:38:00 homebox kernel: New,invalid
TCP:IN=eth0 OUT=
MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00
SRC=63.198.47.20 DST=24.116.255.102 LEN=48 TOS=0x00
PREC=0x00 TTL=112 ID=50905 DF PROTO=TCP SPT=3824
DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
(020405B401010402) 

Jan 13 18:38:00 homebox snort: [1:2003:2] MS-SQL Worm
propagation attempt [Classification: Misc Attack]
[Priority: 2]: {TCP} 63.198.47.20:3824 ->
24.116.255.102:21




The above first 2 show a correct alert
trigger...iptables blocks and logs the packet and
snort alerts ms sql alert.  But dig the last
two...that's an ftp scan..TCP...totally different
port....I have NO idea why that triggered.  Since I
don't run ftp on that box here's the rule that I made:

from local.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP
Server Scan"; flags:S; classtype:info-attempt;
sid:1000005; rev:1;)

from sid-msg.map

1000005 || FTP Scan

I have a sneaky suspicion it's something to do with
classtype?  Not sure.

James


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users