Snort mailing list archives
Re: Question regarding a rule
From: Charlie Egan <chas5873 () gmail com>
Date: Tue, 24 Jun 2014 21:07:49 +0100
Not too sure what the .fast file is? Even done a quick google. Guessing you mean my alert file? [**] [1:1100011:1] P2P torrent metafile download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 06/24-22:43:59.174270 192.168.208.51:3128 -> 192.168.207.185:37584 TCP TTL:63 TOS:0x0 ID:39079 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xF60A226F Ack: 0xF2C41B1 Win: 0x7C TcpLen: 32 TCP Options (3) => NOP NOP TS: 3915998760 26685091 [**] [1:1100011:1] P2P torrent metafile download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 06/24-22:43:59.174281 192.168.208.51:3128 -> 192.168.207.185:37584 TCP TTL:63 TOS:0x0 ID:39083 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xF60A3817 Ack: 0xF2C41B1 Win: 0x7C TcpLen: 32 TCP Options (3) => NOP NOP TS: 3915998761 26685092 [**] [1:1100011:1] P2P torrent metafile download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 06/24-22:43:59.174283 192.168.208.51:3128 -> 192.168.207.185:37584 TCP TTL:63 TOS:0x0 ID:39084 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xF60A3DBF Ack: 0xF2C41B1 Win: 0x7C TcpLen: 32 TCP Options (3) => NOP NOP TS: 3915998761 26685092 [**] [1:1100011:1] P2P torrent metafile download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 06/24-22:44:01.179448 192.168.208.51:3128 -> 192.168.207.185:37588 TCP TTL:63 TOS:0x0 ID:37744 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xF5A707E5 Ack: 0xF5302A35 Win: 0x7C TcpLen: 32 TCP Options (3) => NOP NOP TS: 3916000766 26687097 [**] [1:1100011:1] P2P torrent metafile download [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] 06/24-22:44:01.179791 192.168.208.51:3128 -> 192.168.207.185:37588 TCP TTL:63 TOS:0x0 ID:37748 IpLen:20 DgmLen:1252 DF ***AP*** Seq: 0xF5A71DB7 Ack: 0xF5302A35 Win: 0x7C TcpLen: 32 TCP Options (3) => NOP NOP TS: 3916000766 26687097 Sorry if I've posted the wrong thing - if it is, could you tell me the directory of the .fast file? Had a look around and couldn't see anything. Cheers! On Tue, Jun 24, 2014 at 9:00 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2014-06-24 13:01, Charlie Egan wrote:By killall -HUP Im guessing thats just a command to kill the Snort process? Ive been using the command service snort reload in between modifying rules, its definitely detected the changes to the rule. 25 alerts have been coming through within the space of about 4 seconds and thats it, theres no more after that - this happens about 3 minutes ish after Ive downloaded a torrent file onto my desktop. Apologies if Ive got any of the above wrong about the killall -HUP, Im still a beginner with Snort so have a lot of learning to be done! Cheers On Tue, Jun 24, 2014 at 7:03 PM, James Lay <jlay () slave-tothe-box net [13]> wrote: On 2014-06-24 12:00, Charlie Egan wrote:Cheers for both of your replies. I tried adding the to_server bit funnily enough just before you wrote that email, still no luck unfortunately. Ive tried adding the detection filter on as well, still no luckwiththat either! The alerts are still piling through a few minutesafter,over the period of about three seconds. As well as the timedelay, Imconfused as to why there are so many alerts. Apologies, didntmean to email you back directly James.CheersOn Tue, Jun 24, 2014 at 6:39 PM, James Lay<jlay () slave-tothe-box net [1] [12]> wrote:On 2014-06-24 11:26, Y M wrote:Ok, GUI is out of the way. I am just guessing here, but since there is no flow directionintherule; only "established" without a flow direction (to_server, from_client, etc...) Snort will alert after it flushes the tcp sessions, I am almost sure that I read this somewhere. If youuse,for example, to_server, Snort would alert as soon as the contentmatchesand knows that it was you (the client) whoestablished/initiatedtheconnection (through stream5) and alert based on that. However,Istand corrected on all of the above. If you add the flow direction to your rule, does that changethealerting behavior? -------------------------Date: Tue, 24 Jun 2014 18:09:05 +0100 Subject: Re: [Snort-sigs] Question regarding a rule From: chas5873 () gmail com [2] [1] To: snort () outlook com [3] [2] CC: snort-sigs () lists sourceforge net [4] [3]>Cheers for the reply mate.Im not using a GUI, just running it in through a terminal. Itstheonly rule which its happening with so far, confusing me to saytheleast!On Tue, Jun 24, 2014 at 6:06 PM, Y M <snort () outlook com [5] [4][8]> wrote:Are you using a GUI or just running in console mode to viewthealerts? "Usually", in a GUI scenario, alerts are cached and depending in refresh rates the alerts will show up. Does thishappenonly for this rule or others as well? -------------------------Date: Tue, 24 Jun 2014 17:17:09 +0100 From: chas5873 () gmail com [6] [5] [1] To: snort-sigs () lists sourceforge net [7] [6] [2]>>>> Subject: [Snort-sigs] Question regarding a ruleHi guys, Im having a bit of trouble with a rule that Im playing aroundwithto detect torrent usage.alert tcp any any -> any any (msg: "P2P torrent metafiledownload";content:"|38 64 61|"; flow:established;classtype:policy-violation;sid:1000001; rev:1;) After examining the hex dumps from multiple torrents, Inoticedthatthey all begin with 38 64 61, so thats where I managed to getthatcontent from. When I run Snort and download the torrent though, it doesntalertme straight away, however gives me about 20 alerts about 3 -4minutes later. Does anyone have any idea what could be causing this? Cheers, CharlieAlso try detection_filtering your sid for testing: alert tcp any any -> any any (msg:"P2P torrent metafiledownload";content:"|38 64 61|"; flow:established;classtype:policy-violation;detection_filter: track by_dst, count 1, seconds 60;sid:1000001;rev:1;)Ok...can you post about 5 of these from your .fast file? Make sure to obfuscate anything sensitive that you don't want the world to see :D James
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule Y M (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule Y M (Jun 24)
- Re: Question regarding a rule James Lay (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule James Lay (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule James Lay (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule Y M (Jun 24)
- Re: Question regarding a rule Y M (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule rmkml (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Message not available
- Re: Question regarding a rule Charlie Egan (Jun 26)
- Re: Question regarding a rule James Lay (Jun 26)