Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More packet drops

From: Kevin Ross <kevross33 () googlemail com>
Date: Fri, 17 Dec 2010 14:07:27 +0000
FYI for the PDF name representation sigs I would update them because I have
since updated them with some FP updates so they are more accurate (namely
negating the actual word such as pages in the PCRE). Regards, Kevin

On 15 December 2010 16:46, Lay, James <james.lay () wincofoods com> wrote:


Hey Team,



I know I hit this a fair amount, but I have been seeing this more and
more...observe the following.




From 08:03:30 to 08:49:18 I have in my alert log 24 events:




08:03:30  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:60203

08:07:18  [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:61378 -> 207.170.210.162:53

08:07:20  [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:53058 -> 207.170.210.162:53

08:07:23  [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:50024 -> 207.170.210.162:53

08:08:33  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 66.77.124.48:80 -> 10.21.0.16:60940

08:13:23  [1:17400:1] WEB-CLIENT rename of JavaScript unescape function
- likely malware obfuscation [**] [Classification: Attempted User
Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748

08:13:23  [1:17400:1] WEB-CLIENT rename of JavaScript unescape function
- likely malware obfuscation [**] [Classification: Attempted User
Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748

08:13:54  [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
10.21.0.16:61924 -> 64.55.39.56:80

08:18:42  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:62691

08:21:20  [1:7033:2] POLICY GoToMyPC local service running [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.10.0.44:1110 -> 216.115.208.199:8200

08:22:33  [1:7033:2] POLICY GoToMyPC local service running [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.10.0.56:1103 -> 216.115.208.199:8200

08:23:48  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:63602

08:25:46  [1:2010882:3] ET POLICY .pdf File Containing Javascript [**]
[Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 ->
10.21.0.16:64089

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:39:06  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:2356

08:39:14  [1:2010784:3] ET POLICY Facebook Chat (send message) [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.21.0.16:2391 -> 66.220.146.32:80

08:39:54  [1:15306:5] WEB-CLIENT Portable Executable binary file
transfer [**] [Classification: Misc activity] [Priority: 3] {TCP}
206.169.246.169:80 -> 10.21.0.16:2557

08:43:09  [1:2011411:2] ET DNS DNS Query for Suspicious .co.kr Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:61942 -> 207.170.210.162:53

08:44:06  [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
10.21.0.16:3293 -> 206.169.246.137:80

08:44:12  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3302

08:49:18  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3745



Yet in my pcap file I see only 18:



reading from file internettcpdump.pcap.1292425386, link-type EN10MB
(Ethernet)

08:03:30.305344 IP 64.210.194.188.80 > 10.21.0.16.60203: Flags [.], ack
282797950, win 11792, length 1400

08:07:18.325312 IP 10.21.0.8.61378 > 207.170.210.162.53: 57440+ NS?
co.cc. (23)

08:07:20.324161 IP 10.21.0.8.53058 > 207.170.210.162.53: 39002+ A?
roozzy.co.cc. (30)

08:07:23.203946 IP 10.21.0.8.50024 > 207.170.210.162.53: 3064+ A?
co.cc.multi.surbl.org. (39)

08:08:33.344711 IP 66.77.124.48.80 > 10.21.0.16.60940: Flags [.], ack
267700243, win 8168, length 1400

08:13:23.161052 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack
2940291853, win 6432, length 1400

08:13:23.168051 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack 1,
win 6432, length 1400

08:13:54.536707 IP 10.21.0.16.61924 > 64.55.39.56.80: Flags [P.], ack
2352821962, win 65535, length 293

08:18:42.335202 IP 64.210.194.189.80 > 10.21.0.16.62691: Flags [.], ack
2174948125, win 7504, length 1400

08:21:20.958353 IP 10.10.0.44.1110 > 216.115.208.199.8200: Flags [P.],
ack 3353747836, win 65535, length 39

08:22:33.467936 IP 10.10.0.56.1103 > 216.115.208.199.8200: Flags [P.],
ack 1853793984, win 65535, length 39

08:23:48.894301 IP 64.210.194.189.80 > 10.21.0.16.63602: Flags [.], ack
1977407693, win 7504, length 1400

08:39:06.205770 IP 64.210.194.188.80 > 10.21.0.16.2356: Flags [.], ack
195376762, win 11792, length 1400

08:39:54.189185 IP 206.169.246.169.80 > 10.21.0.16.2557: Flags [.], ack
2163517595, win 7504, length 1400

08:43:09.564591 IP 10.21.0.8.61942 > 207.170.210.162.53: 46222+ A?
ns.igroupnet.co.kr. (36)

08:44:06.541333 IP 10.21.0.16.3293 > 206.169.246.137.80: Flags [P.], ack
4050879426, win 65535, length 258

08:44:12.610875 IP 64.210.194.188.80 > 10.21.0.16.3302: Flags [.], ack
239480599, win 11792, length 1400

08:49:18.396033 IP 64.210.194.188.80 > 10.21.0.16.3745: Flags [.], ack
1085111822, win 9648, length 1400



The six dropped items were:



08:25:46  [1:2010882:3] ET POLICY .pdf File Containing Javascript [**]
[Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 ->
10.21.0.16:64089

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:39:14  [1:2010784:3] ET POLICY Facebook Chat (send message) [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.21.0.16:2391 -> 66.220.146.32:80



Here's the rule file entries:



emerging-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET POLICY Facebook Chat (send message)";
flow:established,to_server; content:"POST"; http_method;
content:"/ajax/chat/send.php"; http_uri; content:"facebook.com";
http_header; classtype:policy-violation;
reference:url,doc.emergingthreats.net/2010784;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL
ICY_Facebook_Chat; sid:2010784; rev:3;)



emerging-policy.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET
any (msg:"ET POLICY .pdf File Containing Javascript";
flow:established,to_client; file_data; content:"PDF-"; nocase;
depth:300; content:"/Javascript"; nocase; distance:0;
classtype:misc-activity; reference:url,doc.emergingthreats.net/2010882;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL
ICY_PDF; sid:2010882; rev:3;)



pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
WEB_CLIENT PDF Name Representation Obfuscation of /Type";
flow:established,to_client; content:"PDF-"; depth:300; content:"/";
distance:0; content:!"Type"; within:4; content:"#"; within:11;
pcre:"/\x2F(T|#54)(y|#79)(p|#70)(e|#65)/i"; classtype:bad-unknown;
reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way
s/<http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way%0As/>;
sid:15213004; rev:1;)



pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
WEB_CLIENT PDF Name Representation Obfuscation of /Pages";
flow:established,to_client; content:"PDF-"; depth:300; content:"/";
distance:0; content:!"Pages"; within:5; content:"#"; within:13;
pcre:"/\x2F(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/i";
classtype:bad-unknown;
reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way
s/<http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way%0As/>;
sid:15213009; rev:1;)



Pertinant log entires in snort.conf:

config event_queue: max_queue 8 log 3 order_events content_length

output log_tcpdump: internettcpdump.pcap



The setup is a port in monitor mode on a gig switch, plugged into a USB
nic on the snort box

Switch stats:

GigabitEthernet1/0/13 is up, line protocol is down (monitoring)

 Hardware is Gigabit Ethernet

 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

    reliability 255/255, txload 3/255, rxload 1/255

 Encapsulation ARPA, loopback not set

 Keepalive set (10 sec)

 Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX

 input flow-control is off, output flow-control is unsupported

 ARP type: ARPA, ARP Timeout 04:00:00

 Last input never, output 3w5d, output hang never

 Last clearing of "show interface" counters never

 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
5802

 Queueing strategy: fifo

 Output queue: 0/40 (size/max)

 5 minute input rate 0 bits/sec, 0 packets/sec

 5 minute output rate 1205000 bits/sec, 287 packets/sec

    0 packets input, 0 bytes, 0 no buffer

    Received 0 broadcasts (0 multicasts)

    0 runts, 0 giants, 0 throttles

    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

    0 watchdog, 0 multicast, 0 pause input

    0 input packets with dribble condition detected

    607863137 packets output, 336036843121 bytes, 0 underruns

    0 output errors, 0 collisions, 0 interface resets

    0 babbles, 0 late collision, 0 deferred

    0 lost carrier, 0 no carrier, 0 PAUSE output

    0 output buffer failures, 0 output buffers swapped out



Interface stats:

eth5      Link encap:Ethernet  HWaddr 00:50:ba:77:e9:b6

         UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500
Metric:1

         RX packets:269512998 errors:0 dropped:0 overruns:0 frame:0

         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:3185031021 (2.9 GiB)  TX bytes:0 (0.0 B)



Considering that the packet makes it enough for snort to alert, but not
log some packets makes me think it's not a networking issue.  Can anyone
see anything that I'm glaringly missing?  The only common factor I can
see is that it always seems to be port 80.  Interestingly...none of the
below show up either:



12/02-10:25:54.702534  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:47438 -> 69.63.181.12:80

12/02-10:46:37.876655  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:52801 -> 66.220.149.25:80

12/02-11:01:38.081401  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:55967 -> 66.220.149.18:80

12/02-11:16:38.348142  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:59508 -> 66.220.147.11:80

12/02-11:35:12.894873  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:62891 -> 69.63.189.31:80

12/02-14:44:06.681124  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:30016 -> 66.220.149.25:80

12/02-14:59:09.955642  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:33798 -> 66.220.158.25:80

12/02-15:45:41.462082  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:43851 -> 66.220.149.11:80

12/02-15:54:20.088339  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:54:23.532080  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:05.482947  [**] [1:2010784:3] ET POLICY Facebook Chat (send
message) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:09.427649  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:09.823623  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:20.528820  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:50.929549  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46372 -> 69.63.189.11:80

12/15-08:39:14.437154  [**] [1:2010784:3] ET POLICY Facebook Chat (send
message) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80

12/15-09:40:01.948657  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:12796 -> 66.220.158.18:80



Thank you.



James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704





------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: