Snort mailing list archives
Re: Fwd: Snort catching backup as alert?
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Mon, 19 Aug 2013 10:49:13 -0600
Hi, Not necessarily, since what's it looking for in a rule can be based on other context, position in the packet, source and destination, etc... This is pretty common... I have rules that fire on these kinds of things sometimes. Use threshold.conf to quiet them down (if you can with opening yourself up to attack.) From: William Rehnquyst [mailto:rehnquyst () gmail com] Sent: Monday, August 19, 2013 8:32 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Fwd: Snort catching backup as alert? Hi, The other day my Snort alerted that it had detected shellcode, and the payload information looks just like a snort rule. It seems to be going from my snort server to the backup server. Does that just mean while backup is happening, Snort is detecting shellcode it's looking for in the rule file itself? I would think if that's the case then every single rule in the rule file would be triggered, because everything it's looking for is in there and it's being transmitted. Were these shellcode detections just a fluke then? Below is the payload it captured, which triggered the alert: "INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"redacted because it'd just get picked up by sourcefire IDS as malware"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17340; rev:3;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance decoder"; content:"redacted"; content:"redacted because it'd just get picked up by sourcefire IDS as malware"; distance:1; content:"redacted"; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17341; rev:2;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17342; rev:2;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17343; rev:2;) [2 non-ASCII characters] alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor Many thanks, Rehn ps. On a side note, pardon my newbie-ness, how does screenshots and attachment work on a mailing list like this? I'm not sure whether they work or not because I never see them in the archive on seclists.org<http://seclists.org>?
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Snort catching backup as alert? William Rehnquyst (Aug 19)
- Re: Fwd: Snort catching backup as alert? Jefferson, Shawn (Aug 19)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 19)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 22)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? Alexandre Carmel-Veilleux (Aug 24)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)
- Re: Fwd: Snort catching backup as alert? Joel Esler (Aug 25)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)