Snort mailing list archives

Fwd: Snort catching backup as alert?

From: William Rehnquyst <rehnquyst () gmail com>
Date: Mon, 19 Aug 2013 11:32:12 -0400

Hi,

The other day my Snort alerted that it had detected shellcode, and the
payload information looks just like a snort rule. It seems to be going from
my snort server to the backup server. Does that just mean while backup is
happening, Snort is detecting shellcode it's looking for in the rule file
itself?

I would think if that's the case then every single rule in the rule file
would be triggered, because everything it's looking for is in there and
it's being transmitted. Were these shellcode detections just a fluke then?

Below is the payload it captured, which triggered the alert:

"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case
decoder"; content:"redacted because it'd just get picked up by
sourcefire IDS as malware"; fast_pattern:only; metadata:policy
balanced-ips drop, policy connectivity-ips drop, policy security-ips
drop; classtype:shellcode-detect; sid:17340; rev:3;)


[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE
x86 OS agnostic alpha UTF8 tolower avoidance decoder";
content:"redacted"; content:"redacted because it'd just get picked up
by sourcefire IDS as malware"; distance:1; content:"redacted";
distance:1; metadata:policy balanced-ips drop, policy connectivity-ips
drop, policy security-ips drop; classtype:shellcode-detect; sid:17341;
rev:2;)


[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE
x86 OS agnostic unicode mixed case decoder"; content:"redacted";
metadata:policy balanced-ips drop, policy connectivity-ips drop,
policy security-ips drop; classtype:shellcode-detect; sid:17342;
rev:2;)


[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE
x86 OS agnostic unicode upper case decoder"; content:"redacted";
metadata:policy balanced-ips drop, policy connectivity-ips drop,
policy security-ips drop; classtype:shellcode-detect; sid:17343;
rev:2;)


[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE
x86 OS agnostic xor

Many thanks,

Rehn

ps. On a side note, pardon my newbie-ness, how does screenshots and
attachment work on a mailing list like this? I'm not sure whether they
work or not because I never see them in the archive on seclists.org?

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Fwd: Snort catching backup as alert? William Rehnquyst (Aug 19)
- Re: Fwd: Snort catching backup as alert? Jefferson, Shawn (Aug 19)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 19)
  - Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
    - Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 22)
- Re: Fwd: Snort catching backup as alert? Alexandre Carmel-Veilleux (Aug 24)
  - Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)
    - Re: Fwd: Snort catching backup as alert? Joel Esler (Aug 25)