Snort mailing list archives
More packet drops
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 15 Dec 2010 09:46:16 -0700
Hey Team, I know I hit this a fair amount, but I have been seeing this more and more...observe the following.
From 08:03:30 to 08:49:18 I have in my alert log 24 events:
08:03:30 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:60203 08:07:18 [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:61378 -> 207.170.210.162:53 08:07:20 [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:53058 -> 207.170.210.162:53 08:07:23 [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:50024 -> 207.170.210.162:53 08:08:33 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 66.77.124.48:80 -> 10.21.0.16:60940 08:13:23 [1:17400:1] WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748 08:13:23 [1:17400:1] WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748 08:13:54 [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.21.0.16:61924 -> 64.55.39.56:80 08:18:42 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:62691 08:21:20 [1:7033:2] POLICY GoToMyPC local service running [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.10.0.44:1110 -> 216.115.208.199:8200 08:22:33 [1:7033:2] POLICY GoToMyPC local service running [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.10.0.56:1103 -> 216.115.208.199:8200 08:23:48 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:63602 08:25:46 [1:2010882:3] ET POLICY .pdf File Containing Javascript [**] [Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 -> 10.21.0.16:64089 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:39:06 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:2356 08:39:14 [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80 08:39:54 [1:15306:5] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP} 206.169.246.169:80 -> 10.21.0.16:2557 08:43:09 [1:2011411:2] ET DNS DNS Query for Suspicious .co.kr Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:61942 -> 207.170.210.162:53 08:44:06 [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.21.0.16:3293 -> 206.169.246.137:80 08:44:12 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3302 08:49:18 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3745 Yet in my pcap file I see only 18: reading from file internettcpdump.pcap.1292425386, link-type EN10MB (Ethernet) 08:03:30.305344 IP 64.210.194.188.80 > 10.21.0.16.60203: Flags [.], ack 282797950, win 11792, length 1400 08:07:18.325312 IP 10.21.0.8.61378 > 207.170.210.162.53: 57440+ NS? co.cc. (23) 08:07:20.324161 IP 10.21.0.8.53058 > 207.170.210.162.53: 39002+ A? roozzy.co.cc. (30) 08:07:23.203946 IP 10.21.0.8.50024 > 207.170.210.162.53: 3064+ A? co.cc.multi.surbl.org. (39) 08:08:33.344711 IP 66.77.124.48.80 > 10.21.0.16.60940: Flags [.], ack 267700243, win 8168, length 1400 08:13:23.161052 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack 2940291853, win 6432, length 1400 08:13:23.168051 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack 1, win 6432, length 1400 08:13:54.536707 IP 10.21.0.16.61924 > 64.55.39.56.80: Flags [P.], ack 2352821962, win 65535, length 293 08:18:42.335202 IP 64.210.194.189.80 > 10.21.0.16.62691: Flags [.], ack 2174948125, win 7504, length 1400 08:21:20.958353 IP 10.10.0.44.1110 > 216.115.208.199.8200: Flags [P.], ack 3353747836, win 65535, length 39 08:22:33.467936 IP 10.10.0.56.1103 > 216.115.208.199.8200: Flags [P.], ack 1853793984, win 65535, length 39 08:23:48.894301 IP 64.210.194.189.80 > 10.21.0.16.63602: Flags [.], ack 1977407693, win 7504, length 1400 08:39:06.205770 IP 64.210.194.188.80 > 10.21.0.16.2356: Flags [.], ack 195376762, win 11792, length 1400 08:39:54.189185 IP 206.169.246.169.80 > 10.21.0.16.2557: Flags [.], ack 2163517595, win 7504, length 1400 08:43:09.564591 IP 10.21.0.8.61942 > 207.170.210.162.53: 46222+ A? ns.igroupnet.co.kr. (36) 08:44:06.541333 IP 10.21.0.16.3293 > 206.169.246.137.80: Flags [P.], ack 4050879426, win 65535, length 258 08:44:12.610875 IP 64.210.194.188.80 > 10.21.0.16.3302: Flags [.], ack 239480599, win 11792, length 1400 08:49:18.396033 IP 64.210.194.188.80 > 10.21.0.16.3745: Flags [.], ack 1085111822, win 9648, length 1400 The six dropped items were: 08:25:46 [1:2010882:3] ET POLICY .pdf File Containing Javascript [**] [Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 -> 10.21.0.16:64089 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:39:14 [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80 Here's the rule file entries: emerging-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL ICY_Facebook_Chat; sid:2010784; rev:3;) emerging-policy.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY .pdf File Containing Javascript"; flow:established,to_client; file_data; content:"PDF-"; nocase; depth:300; content:"/Javascript"; nocase; distance:0; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010882; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL ICY_PDF; sid:2010882; rev:3;) pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Type"; flow:established,to_client; content:"PDF-"; depth:300; content:"/"; distance:0; content:!"Type"; within:4; content:"#"; within:11; pcre:"/\x2F(T|#54)(y|#79)(p|#70)(e|#65)/i"; classtype:bad-unknown; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way s/; sid:15213004; rev:1;) pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages"; flow:established,to_client; content:"PDF-"; depth:300; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/i"; classtype:bad-unknown; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way s/; sid:15213009; rev:1;) Pertinant log entires in snort.conf: config event_queue: max_queue 8 log 3 order_events content_length output log_tcpdump: internettcpdump.pcap The setup is a port in monitor mode on a gig switch, plugged into a USB nic on the snort box Switch stats: GigabitEthernet1/0/13 is up, line protocol is down (monitoring) Hardware is Gigabit Ethernet MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 3/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 3w5d, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5802 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1205000 bits/sec, 287 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 607863137 packets output, 336036843121 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Interface stats: eth5 Link encap:Ethernet HWaddr 00:50:ba:77:e9:b6 UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1 RX packets:269512998 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3185031021 (2.9 GiB) TX bytes:0 (0.0 B) Considering that the packet makes it enough for snort to alert, but not log some packets makes me think it's not a networking issue. Can anyone see anything that I'm glaringly missing? The only common factor I can see is that it always seems to be port 80. Interestingly...none of the below show up either: 12/02-10:25:54.702534 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:47438 -> 69.63.181.12:80 12/02-10:46:37.876655 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:52801 -> 66.220.149.25:80 12/02-11:01:38.081401 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:55967 -> 66.220.149.18:80 12/02-11:16:38.348142 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:59508 -> 66.220.147.11:80 12/02-11:35:12.894873 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:62891 -> 69.63.189.31:80 12/02-14:44:06.681124 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:30016 -> 66.220.149.25:80 12/02-14:59:09.955642 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:33798 -> 66.220.158.25:80 12/02-15:45:41.462082 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:43851 -> 66.220.149.11:80 12/02-15:54:20.088339 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:54:23.532080 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:05.482947 [**] [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:09.427649 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:09.823623 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:20.528820 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:50.929549 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46372 -> 69.63.189.11:80 12/15-08:39:14.437154 [**] [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80 12/15-09:40:01.948657 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:12796 -> 66.220.158.18:80 Thank you. James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704
<<winmail.dat>>
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More packet drops Lay, James (Dec 15)
- Re: More packet drops Kevin Ross (Dec 17)