Snort mailing list archives
Re: More packet drops
From: Kevin Ross <kevross33 () googlemail com>
Date: Fri, 17 Dec 2010 14:07:27 +0000
FYI for the PDF name representation sigs I would update them because I have since updated them with some FP updates so they are more accurate (namely negating the actual word such as pages in the PCRE). Regards, Kevin On 15 December 2010 16:46, Lay, James <james.lay () wincofoods com> wrote:
Hey Team, I know I hit this a fair amount, but I have been seeing this more and more...observe the following.From 08:03:30 to 08:49:18 I have in my alert log 24 events:08:03:30 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:60203 08:07:18 [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:61378 -> 207.170.210.162:53 08:07:20 [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:53058 -> 207.170.210.162:53 08:07:23 [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:50024 -> 207.170.210.162:53 08:08:33 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 66.77.124.48:80 -> 10.21.0.16:60940 08:13:23 [1:17400:1] WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748 08:13:23 [1:17400:1] WEB-CLIENT rename of JavaScript unescape function - likely malware obfuscation [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748 08:13:54 [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.21.0.16:61924 -> 64.55.39.56:80 08:18:42 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:62691 08:21:20 [1:7033:2] POLICY GoToMyPC local service running [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.10.0.44:1110 -> 216.115.208.199:8200 08:22:33 [1:7033:2] POLICY GoToMyPC local service running [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.10.0.56:1103 -> 216.115.208.199:8200 08:23:48 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:63602 08:25:46 [1:2010882:3] ET POLICY .pdf File Containing Javascript [**] [Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 -> 10.21.0.16:64089 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:39:06 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:2356 08:39:14 [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80 08:39:54 [1:15306:5] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP} 206.169.246.169:80 -> 10.21.0.16:2557 08:43:09 [1:2011411:2] ET DNS DNS Query for Suspicious .co.kr Domain [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.21.0.8:61942 -> 207.170.210.162:53 08:44:06 [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 10.21.0.16:3293 -> 206.169.246.137:80 08:44:12 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3302 08:49:18 [1:15362:2] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3745 Yet in my pcap file I see only 18: reading from file internettcpdump.pcap.1292425386, link-type EN10MB (Ethernet) 08:03:30.305344 IP 64.210.194.188.80 > 10.21.0.16.60203: Flags [.], ack 282797950, win 11792, length 1400 08:07:18.325312 IP 10.21.0.8.61378 > 207.170.210.162.53: 57440+ NS? co.cc. (23) 08:07:20.324161 IP 10.21.0.8.53058 > 207.170.210.162.53: 39002+ A? roozzy.co.cc. (30) 08:07:23.203946 IP 10.21.0.8.50024 > 207.170.210.162.53: 3064+ A? co.cc.multi.surbl.org. (39) 08:08:33.344711 IP 66.77.124.48.80 > 10.21.0.16.60940: Flags [.], ack 267700243, win 8168, length 1400 08:13:23.161052 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack 2940291853, win 6432, length 1400 08:13:23.168051 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack 1, win 6432, length 1400 08:13:54.536707 IP 10.21.0.16.61924 > 64.55.39.56.80: Flags [P.], ack 2352821962, win 65535, length 293 08:18:42.335202 IP 64.210.194.189.80 > 10.21.0.16.62691: Flags [.], ack 2174948125, win 7504, length 1400 08:21:20.958353 IP 10.10.0.44.1110 > 216.115.208.199.8200: Flags [P.], ack 3353747836, win 65535, length 39 08:22:33.467936 IP 10.10.0.56.1103 > 216.115.208.199.8200: Flags [P.], ack 1853793984, win 65535, length 39 08:23:48.894301 IP 64.210.194.189.80 > 10.21.0.16.63602: Flags [.], ack 1977407693, win 7504, length 1400 08:39:06.205770 IP 64.210.194.188.80 > 10.21.0.16.2356: Flags [.], ack 195376762, win 11792, length 1400 08:39:54.189185 IP 206.169.246.169.80 > 10.21.0.16.2557: Flags [.], ack 2163517595, win 7504, length 1400 08:43:09.564591 IP 10.21.0.8.61942 > 207.170.210.162.53: 46222+ A? ns.igroupnet.co.kr. (36) 08:44:06.541333 IP 10.21.0.16.3293 > 206.169.246.137.80: Flags [P.], ack 4050879426, win 65535, length 258 08:44:12.610875 IP 64.210.194.188.80 > 10.21.0.16.3302: Flags [.], ack 239480599, win 11792, length 1400 08:49:18.396033 IP 64.210.194.188.80 > 10.21.0.16.3745: Flags [.], ack 1085111822, win 9648, length 1400 The six dropped items were: 08:25:46 [1:2010882:3] ET POLICY .pdf File Containing Javascript [**] [Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 -> 10.21.0.16:64089 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213004:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Type [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:35:58 [1:15213009:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942 08:39:14 [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80 Here's the rule file entries: emerging-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL ICY_Facebook_Chat; sid:2010784; rev:3;) emerging-policy.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY .pdf File Containing Javascript"; flow:established,to_client; file_data; content:"PDF-"; nocase; depth:300; content:"/Javascript"; nocase; distance:0; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010882; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL ICY_PDF; sid:2010882; rev:3;) pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Type"; flow:established,to_client; content:"PDF-"; depth:300; content:"/"; distance:0; content:!"Type"; within:4; content:"#"; within:11; pcre:"/\x2F(T|#54)(y|#79)(p|#70)(e|#65)/i"; classtype:bad-unknown; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way s/<http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way%0As/>; sid:15213004; rev:1;) pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Pages"; flow:established,to_client; content:"PDF-"; depth:300; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/i"; classtype:bad-unknown; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way s/<http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way%0As/>; sid:15213009; rev:1;) Pertinant log entires in snort.conf: config event_queue: max_queue 8 log 3 order_events content_length output log_tcpdump: internettcpdump.pcap The setup is a port in monitor mode on a gig switch, plugged into a USB nic on the snort box Switch stats: GigabitEthernet1/0/13 is up, line protocol is down (monitoring) Hardware is Gigabit Ethernet MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 3/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 3w5d, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5802 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1205000 bits/sec, 287 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 607863137 packets output, 336036843121 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Interface stats: eth5 Link encap:Ethernet HWaddr 00:50:ba:77:e9:b6 UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1 RX packets:269512998 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3185031021 (2.9 GiB) TX bytes:0 (0.0 B) Considering that the packet makes it enough for snort to alert, but not log some packets makes me think it's not a networking issue. Can anyone see anything that I'm glaringly missing? The only common factor I can see is that it always seems to be port 80. Interestingly...none of the below show up either: 12/02-10:25:54.702534 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:47438 -> 69.63.181.12:80 12/02-10:46:37.876655 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:52801 -> 66.220.149.25:80 12/02-11:01:38.081401 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:55967 -> 66.220.149.18:80 12/02-11:16:38.348142 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:59508 -> 66.220.147.11:80 12/02-11:35:12.894873 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:62891 -> 69.63.189.31:80 12/02-14:44:06.681124 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:30016 -> 66.220.149.25:80 12/02-14:59:09.955642 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:33798 -> 66.220.158.25:80 12/02-15:45:41.462082 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:43851 -> 66.220.149.11:80 12/02-15:54:20.088339 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:54:23.532080 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:05.482947 [**] [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:09.427649 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:09.823623 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:20.528820 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80 12/02-15:55:50.929549 [**] [1:2010785:4] ET POLICY Facebook Chat (buddy list) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:46372 -> 69.63.189.11:80 12/15-08:39:14.437154 [**] [1:2010784:3] ET POLICY Facebook Chat (send message) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80 12/15-09:40:01.948657 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:12796 -> 66.220.158.18:80 Thank you. James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704 ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More packet drops Lay, James (Dec 15)
- Re: More packet drops Kevin Ross (Dec 17)