Re: Question regarding a rule

[rmkml <rmkml () yahoo fr>]

Hi Charlie and YM and James,

Well I'm not followed all your exchange,

but your sig not limit content begin...

alert tcp any any -> any any (msg: "P2P torrent metafile download"; content:"|38 64 61|"; flow:established; 
classtype:policy-violation; sid:1000001; rev:1;)

Please test with:

alert tcp any any -> any any (msg: "P2P torrent metafile download"; content:"|38 64 61|"; depth:3; offset:0; 
flow:established; classtype:policy-violation; sid:1000001; rev:2;)

Another check if adding "to_client" option like this:

alert tcp any any -> any any (msg: "P2P torrent metafile download"; content:"|38 64 61|"; depth:3; offset:0; 
flow:established,to_client; classtype:policy-violation; sid:1000001; rev:3;)

Don't remember if you need or not disabling cksum verification: "-k none"

Regards
@Rmkml


On Tue, 24 Jun 2014, Charlie Egan wrote:

> Nope none whatsoever other than specifying my $HOME_NET ip. I assumed they may be false positives, but I'm only downloading 
> one torrent file to my desktop when I run the test, so it doesn't make sense to me why 25 odd
> alerts are popping up. The content of the rule is at the beginning of the hex dump of the metafile, and |38 64 61| certainly 
> doesn't pop up again within the file.
> Do you have any idea what could be causing false positives?
>
> Cheers
>
>
> On Tue, Jun 24, 2014 at 9:25 PM, Y M <snort () outlook com> wrote:
>       > I'm confused as to why there are so many alerts.
> These could be false positives. Have you made any major changes to your snort.conf file?
>
> ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> Date: Tue, 24 Jun 2014 19:00:24 +0100
> From: chas5873 () gmail com
> To: jlay () slave-tothe-box net
> CC: snort-sigs () lists sourceforge net
> Subject: Re: [Snort-sigs] Question regarding a rule
>
> Cheers for both of your replies. I tried adding the to_server bit funnily enough just before you wrote that email, 
> still no luck unfortunately.
>
> I've tried adding the detection filter on as well, still no luck with that either! The alerts are still piling through a few 
> minutes after, over the period of about three seconds. As well as the time delay, I'm
> confused as to why there are so many alerts. Apologies, didn't mean to email you back directly James.
>
> Cheers[cleardot.gif]
>
>
> On Tue, Jun 24, 2014 at 6:39 PM, James Lay <jlay () slave-tothe-box net> wrote:
>       On 2014-06-24 11:26, Y M wrote:
>       > Ok, GUI is out of the way.
>       >
>       > I am just guessing here, but since there is no flow direction in the
>       > rule; only "established" without a flow direction (to_server,
>       > from_client, etc...) Snort will alert after it flushes the tcp
>       > sessions, I am almost sure that I read this somewhere. If you use,
>       > for
>       > example, to_server, Snort would alert as soon as the content matches
>       > and knows that it was you (the client) who established/initiated the
>       > connection (through stream5) and alert based on that. However, I
>       > stand
>       > corrected on all of the above.
>       >
>       > If you add the flow direction to your rule, does that change the
>       > alerting behavior?
>       >
> > -------------------------
> > Date: Tue, 24 Jun 2014 18:09:05 +0100
> > Subject: Re: [Snort-sigs] Question regarding a rule
> > From: chas5873 () gmail com
> > To: snort () outlook com
> > CC: snort-sigs () lists sourceforge net
> >
> > Cheers for the reply mate.
> >
> > I'm not using a GUI, just running it in through a terminal. It's the
> > only rule which it's happening with so far, confusing me to say the
> > least!
> >
> > On Tue, Jun 24, 2014 at 6:06 PM, Y M <snort () outlook com [8]> wrote:
> >
> >> Are you using a GUI or just running in console mode to view the
> >> alerts? "Usually", in a GUI scenario, alerts are cached and
> >> depending in refresh rates the alerts will show up. Does this happen
> >> only for this rule or others as well?
> >>
> >> -------------------------
> >> Date: Tue, 24 Jun 2014 17:17:09 +0100
> >> From: chas5873 () gmail com [1]
> >> To: snort-sigs () lists sourceforge net [2]
> >> Subject: [Snort-sigs] Question regarding a rule
> >>
> >> Hi guys,
> >>
> >> I'm having a bit of trouble with a rule that I'm playing around with
> >> to detect torrent usage.
> >>
> >> alert tcp any any -> any any (msg: "P2P torrent metafile download";
> >> content:"|38 64 61|"; flow:established; classtype:policy-violation;
> >> sid:1000001; rev:1;)
> >>
> >> After examining the hex dumps from multiple torrents, I noticed that
> >> they all begin with 38 64 61, so that's where I managed to get that
> >> content from.
> >>
> >> When I run Snort and download the torrent though, it doesn't alert
> >> me straight away, however gives me about 20 alerts about 3 - 4
> >> minutes later.
> >>
> >> Does anyone have any idea what could be causing this?
> >>
> >> Cheers,
> >>
> >> Charlie
> >>
> >>
>
> Also try detection_filtering your sid for testing:
>
> alert tcp any any -> any any (msg:"P2P torrent metafile download";
> content:"|38 64 61|"; flow:established; classtype:policy-violation;
> detection_filter: track by_dst, count 1, seconds 60; sid:1000001;
> rev:1;)
>
> I've seen cases where if too many alerts fire on the same content they
> won't all show up at the same time.
>
> James
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!