Re: Question regarding a rule

[Charlie Egan <chas5873 () gmail com>]

Not too sure what the .fast file is? Even done a quick google.

Guessing you mean my alert file?

[**] [1:1100011:1] P2P torrent metafile download [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
06/24-22:43:59.174270 192.168.208.51:3128 -> 192.168.207.185:37584
TCP TTL:63 TOS:0x0 ID:39079 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xF60A226F  Ack: 0xF2C41B1  Win: 0x7C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3915998760 26685091

[**] [1:1100011:1] P2P torrent metafile download [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
06/24-22:43:59.174281 192.168.208.51:3128 -> 192.168.207.185:37584
TCP TTL:63 TOS:0x0 ID:39083 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xF60A3817  Ack: 0xF2C41B1  Win: 0x7C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3915998761 26685092

[**] [1:1100011:1] P2P torrent metafile download [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
06/24-22:43:59.174283 192.168.208.51:3128 -> 192.168.207.185:37584
TCP TTL:63 TOS:0x0 ID:39084 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xF60A3DBF  Ack: 0xF2C41B1  Win: 0x7C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3915998761 26685092

[**] [1:1100011:1] P2P torrent metafile download [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
06/24-22:44:01.179448 192.168.208.51:3128 -> 192.168.207.185:37588
TCP TTL:63 TOS:0x0 ID:37744 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xF5A707E5  Ack: 0xF5302A35  Win: 0x7C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3916000766 26687097

[**] [1:1100011:1] P2P torrent metafile download [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
06/24-22:44:01.179791 192.168.208.51:3128 -> 192.168.207.185:37588
TCP TTL:63 TOS:0x0 ID:37748 IpLen:20 DgmLen:1252 DF
***AP*** Seq: 0xF5A71DB7  Ack: 0xF5302A35  Win: 0x7C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3916000766 26687097

Sorry if I've posted the wrong thing - if it is, could you tell me the
directory of the .fast file? Had a look around and couldn't see anything.

Cheers!


On Tue, Jun 24, 2014 at 9:00 PM, James Lay <jlay () slave-tothe-box net> wrote:

> On 2014-06-24 13:01, Charlie Egan wrote:
>
> > By killall -HUP Im guessing thats just a command to kill the Snort
> > process? Ive been using the command service snort reload in between
> > modifying rules, its definitely detected the changes to the rule.
> >
> >
> > 25 alerts have been coming through within the space of about 4 seconds
> > and thats it, theres no more after that - this happens about 3 minutes
> > ish after Ive downloaded a torrent file onto my desktop.
> >
> > Apologies if Ive got any of the above wrong about the killall -HUP, Im
> >
> > still a beginner with Snort so have a lot of learning to be done!
> >
> > Cheers
> >
> >  On Tue, Jun 24, 2014 at 7:03 PM, James Lay <jlay () slave-tothe-box net
> > [13]> wrote:
> >
> >  On 2014-06-24 12:00, Charlie Egan wrote:
> > > > Cheers for both of your replies. I tried adding the to_server bit
> > > > funnily enough just before you wrote that email, still no luck
> > > > unfortunately.
> > > >
> > > > Ive tried adding the detection filter on as well, still no luck
> > > with
> > > > that either! The alerts are still piling through a few minutes
> > > after,
> > > > over the period of about three seconds. As well as the time
> > > delay, Im
> > > > confused as to why there are so many alerts. Apologies, didnt
> > > mean to
> > >
> > >  email you back directly James.
> > > > Cheers
> > >
> > >  On Tue, Jun 24, 2014 at 6:39 PM, James Lay
> > > >
> > > <jlay () slave-tothe-box net [1]
> > >
> > >
> > >  [12]> wrote:
> > > > > On 2014-06-24 11:26, Y M wrote:
> > > > > > Ok, GUI is out of the way.
> > > > > >
> > > > > > I am just guessing here, but since there is no flow direction
> > > in
> > > > > the
> > > > > > rule; only "established" without a flow direction (to_server,
> > > > > > from_client, etc...) Snort will alert after it flushes the tcp
> > > > > > sessions, I am almost sure that I read this somewhere. If you
> > > > > use,
> > > > > > for
> > > > > > example, to_server, Snort would alert as soon as the content
> > > > > matches
> > > > > > and knows that it was you (the client) who
> > > established/initiated
> > > > > the
> > > > > > connection (through stream5) and alert based on that. However,
> > > I
> > > > > > stand
> > > > > > corrected on all of the above.
> > > > > >
> > > > > > If you add the flow direction to your rule, does that change
> > > the
> > > > > > alerting behavior?
> > > > > >
> > > > > > -------------------------
> > > > >
> > > > > > Date: Tue, 24 Jun 2014 18:09:05 +0100
> > > > > > Subject: Re: [Snort-sigs] Question regarding a rule
> > > > > > From: chas5873 () gmail com [2] [1]
> > > > > > To: snort () outlook com [3] [2]
> > > > > > CC: snort-sigs () lists sourceforge net [4] [3]
> > >
> > >
> > >  >
> > > > > > > Cheers for the reply mate.
> > > > > >
> > > > > > Im not using a GUI, just running it in through a terminal. Its
> > > > > the
> > > > > > only rule which its happening with so far, confusing me to say
> > > > > the
> > > > > > least!
> > > > >
> > > > > > On Tue, Jun 24, 2014 at 6:06 PM, Y M <snort () outlook com [5] [4]
> > >
> > > [8]>
> > >
> > >  wrote:
> > > > > > > Are you using a GUI or just running in console mode to view
> > > the
> > > > > > > alerts? "Usually", in a GUI scenario, alerts are cached and
> > > > > > > depending in refresh rates the alerts will show up. Does this
> > > > > happen
> > > > > > > only for this rule or others as well?
> > > > > > >
> > > > > > > -------------------------
> > > > >
> > > > > > > Date: Tue, 24 Jun 2014 17:17:09 +0100
> > > > > > > From: chas5873 () gmail com [6] [5] [1]
> > > > > > > To: snort-sigs () lists sourceforge net [7] [6] [2]
> > >
> > >
> > >
> > > > >  >>>> Subject: [Snort-sigs] Question regarding a rule
> > > > > > > Hi guys,
> > > > > > >
> > > > > > > Im having a bit of trouble with a rule that Im playing around
> > >
> > >  with
> > > > > > > > to detect torrent usage.
> > > > > > >
> > > > > > > alert tcp any any -> any any (msg: "P2P torrent metafile
> > > > > download";
> > > > > > > content:"|38 64 61|"; flow:established;
> > > > > classtype:policy-violation;
> > > > > > > sid:1000001; rev:1;)
> > > > > > >
> > > > > > > After examining the hex dumps from multiple torrents, I
> > > noticed
> > > > > that
> > > > > > > they all begin with 38 64 61, so thats where I managed to get
> > > > > that
> > > > > > > content from.
> > > > > > >
> > > > > > > When I run Snort and download the torrent though, it doesnt
> > >
> > >  alert
> > > > > > > > me straight away, however gives me about 20 alerts about 3 -
> > > 4
> > > > > > > minutes later.
> > > > > > >
> > > > > > > Does anyone have any idea what could be causing this?
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > Charlie
> > > > >
> > > > > Also try detection_filtering your sid for testing:
> > > > >
> > > > > alert tcp any any -> any any (msg:"P2P torrent metafile
> > > download";
> > > > > content:"|38 64 61|"; flow:established;
> > > classtype:policy-violation;
> > > > > detection_filter: track by_dst, count 1, seconds 60;
> > > sid:1000001;
> > > > > rev:1;)
> Ok...can you post about 5 of these from your .fast file?  Make sure to
> obfuscate anything sensitive that you don't want the world to see :D
>
> James
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!