Re: Why can't I see tcp flags for a triggered alert (snort+base)

[John Huss <john.huss () thebunker net>]

Hello

Joel Esler wrote:
> Flags in a TCP packet are recorded.  Can you post your snort.conf,
> command line start up, rule, and even a pcap ?
>
> Joel

Sure thing, snort.conf copied below, stripped of comments for shortness:

------------------- /etc/snort/snort.conf -------------------
var HOME_NET [6.6.6.6/19,7.7.7.7/20]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
config disable_tcpopt_experimental_alerts
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules

------------------- cli-startup -------------------
/usr/bin/snort -D -u snort -i eth1 -l /var/log/snort -c
/etc/snort/snort.conf

------------------- my first rule -------------------
Be kind please, it's my first attempt! ;)

(from local.rules)

alert tcp any any -> 1.2.3.4 22 (msg: "Johnny Alert 1"; \
sid:1007502; rev:1; classtype:denial-of-service; priority:10; flags:S;)

# With this rule, my aim is for the alert is to alert when it matches
traffic hitting 1.2.3.4 port 22 with the SYN flag set.

------------------- pcap -------------------
(Is tcpdump copy and paste ok?)

14:23:10.507755 IP mr.attacker.naughty.com.58905 > 1.2.3.4.ssh: S
227433107:227433107(0) win 4096
14:23:10.508114 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58905: S
951878926:951878926(0) ack 227433108 win 65535 <mss 1460>
14:23:10.514148 IP mr.attacker.naughty.com.58906 > 1.2.3.4.ssh: S
1514290818:1514290818(0) win 4096
14:23:10.514332 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58906: S
2294986114:2294986114(0) ack 1514290819 win 65535 <mss 1460>
14:23:10.516145 IP mr.attacker.naughty.com.58907 > 1.2.3.4.ssh: S
441396281:441396281(0) win 4096
14:23:10.516407 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58907: S
1955258624:1955258624(0) ack 441396282 win 65535 <mss 1460>
14:23:10.520766 IP mr.attacker.naughty.com.58908 > 1.2.3.4.ssh: S
871792875:871792875(0) win 4096
14:23:10.521232 IP 1.2.3.4.ssh > mr.attacker.naughty.com.56040: S
136192523:136192523(0) ack 477563074 win 65535 <mss 1460>
14:23:10.521462 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58908: S
262528392:262528392(0) ack 871792876 win 65535 <mss 1460>
14:23:10.522833 IP mr.attacker.naughty.com.58909 > 1.2.3.4.ssh: S
1051856133:1051856133(0) win 4096
14:23:10.523152 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58909: S
2320831878:2320831878(0) ack 1051856134 win 65535 <mss 1460>

-

Hope that helps - and thanks again, any advice is very gratefully received.

Kind Regards,


Johnny

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users