Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Snort catching backup as alert?

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Mon, 19 Aug 2013 10:49:13 -0600
Hi,

Not necessarily, since what's it looking for in a rule can be based on other context, position in the packet, source 
and destination, etc...

This is pretty common... I have rules that fire on these kinds of things sometimes.  Use threshold.conf to quiet them 
down (if you can with opening yourself up to attack.)

From: William Rehnquyst [mailto:rehnquyst () gmail com]
Sent: Monday, August 19, 2013 8:32 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Fwd: Snort catching backup as alert?

Hi,

The other day my Snort alerted that it had detected shellcode, and the payload information looks just like a snort 
rule. It seems to be going from my snort server to the backup server. Does that just mean while backup is happening, 
Snort is detecting shellcode it's looking for in the rule file itself?
I would think if that's the case then every single rule in the rule file would be triggered, because everything it's 
looking for is in there and it's being transmitted. Were these shellcode detections just a fluke then?

Below is the payload it captured, which triggered the alert:

"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"redacted because it'd just get picked 
up by sourcefire IDS as malware"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, 
policy security-ips drop; classtype:shellcode-detect; sid:17340; rev:3;)







[2 non-ASCII characters]

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance 
decoder"; content:"redacted"; content:"redacted because it'd just get picked up by sourcefire IDS as malware"; 
distance:1; content:"redacted"; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy 
security-ips drop; classtype:shellcode-detect; sid:17341; rev:2;)







[2 non-ASCII characters]

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; 
content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 
classtype:shellcode-detect; sid:17342; rev:2;)







[2 non-ASCII characters]

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; 
content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 
classtype:shellcode-detect; sid:17343; rev:2;)







[2 non-ASCII characters]

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor

Many thanks,

Rehn

ps. On a side note, pardon my newbie-ness, how does screenshots and attachment work on a mailing list like this? I'm 
not sure whether they work or not because I never see them in the archive on seclists.org<http://seclists.org>?



------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: