Snort mailing list archives
Re: Question regarding a rule
From: Charlie Egan <chas5873 () gmail com>
Date: Thu, 26 Jun 2014 15:27:00 +0100
That's confusing to me James, since when I take a hex dump of the .torrent file, this is my output; http://i60.tinypic.com/20usdpu.png 38 64 61 are the first bytes that appear, and I've checked the hex dump for multiple torrent files and it seems to be consistent for all of them. Should I be putting the content section of the rule as |3864 61| instead of |38 64 61| ? Unfortunately I can't access my machine with Snort on at the moment, but will give it a try when I get a chance. Also could I ask how you got that output from the .pcap file? Sorry still new to all of this, I appreciate the responses! Cheers On Wed, Jun 25, 2014 at 4:34 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2014-06-25 06:54, Charlie Egan wrote:Appreciate it James, Attached is the pcap file, hopefully thats correct - let me know if there are any issues. Cheers! On Wed, Jun 25, 2014 at 1:24 PM, James Lay <jlay () slave-tothe-box net [6]> wrote: On Wed, 2014-06-25 at 13:10 +0100, Charlie Egan wrote:Hi James,Sorry a bit new to all of this - is a pcap file just a savedWireshark file so you can have a look at all of the packets?Cheers On Wed, Jun ames Lay <lave-tothe-box.net" target he-box.net> wrote: On Tue, 2014-06-24 at 21:36 +0100, Charlie Eganwrote:ockquote type="CITE"> other than specifying my $HOME_NET ip. I assumed they may be falsepositives, but Im only downloading one torrent file to my desktop when I run the test, so it doesnt make sense to me why 25 odd alerts are popping up. The content of the rule is at the beginning of the hex dump of the metafile, and |38 64 61| certainly doesnt pop up again within the file. Do you have any idea what could be causing false positives? Cheers If youd like to share a pcap of the file off list Ill take a look at that and tle youre trying. James e>------------------------------------------------------------ ------------------Open source business process management suite built on Java andEclipseprocesses into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 an http://p.sf.net/sfu/Bonitasoft [1]_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net [2] https://lists.sourceforge.net/lists/listinfo/snort-sigs [3] http://www.snort.org [4] Please visit http://blog.snort.org [5] for the latest news about Snort!Indeed it is. JamesThis packet capture does not seem to contain "38 64 61" in hex anywhere. ============================================================ =================== Run time for packet processing was 0.1815 seconds Snort processed 38 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 38 ============================================================ =================== Memory usage summary: Total non-mmapped bytes (arena): 3940352 Bytes in mapped regions (hblkhd): 17784832 Total allocated space (uordblks): 2336640 Total free space (fordblks): 1603712 Topmost releasable block (keepcost): 132752 ============================================================ =================== Packet I/O Totals: Received: 38 Analyzed: 38 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 ============================================================ =================== Breakdown by protocol (includes rebuilt packets): Eth: 39 (100.000%) VLAN: 0 ( 0.000%) IP4: 32 ( 82.051%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 1 ( 2.564%) TCP: 31 ( 79.487%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 7 ( 17.949%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 1 ( 2.564%) S5 G 2: 0 ( 0.000%) Total: 39 ============================================================ =================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 38 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) ============================================================ =================== Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 ============================================================ =================== Stream5 statistics: Total sessions: 1 TCP sessions: 1 UDP sessions: 0 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 1 TCP StreamTrackers Deleted: 1 TCP Timeouts: 0 TCP Overlaps: 0 TCP Segments Queued: 21 TCP Segments Released: 21 TCP Rebuilt Packets: 4 TCP Segments Used: 21 TCP Discards: 0 TCP Gaps: 1 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 Internal Events: 0 TCP Port Filter Filtered: 0 Inspected: 0 Tracked: 30 UDP Port Filter Filtered: 0 Inspected: 1 Tracked: 0 ============================================================ =================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 1 HTTP Request Headers extracted: 1 HTTP Request Cookies extracted: 1 Post parameters extracted: 0 HTTP response Headers extracted: 1 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 25 ============================================================ =================== SMTP Preprocessor Statistics Total sessions : 0 Max concurrent sessions : 0 ============================================================ =================== dcerpc2 Preprocessor Statistics Total sessions: 0 ============================================================ =================== ============================================================ =================== Reputation Preprocessor Statistics Total Memory Allocated: 2049212 ============================================================ =================== James
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Question regarding a rule, (continued)
- Re: Question regarding a rule James Lay (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule Y M (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule rmkml (Jun 24)
- Re: Question regarding a rule Charlie Egan (Jun 24)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Re: Question regarding a rule James Lay (Jun 25)
- Re: Question regarding a rule Charlie Egan (Jun 25)
- Message not available
- Re: Question regarding a rule Charlie Egan (Jun 26)
- Re: Question regarding a rule James Lay (Jun 26)
- Re: Question regarding a rule Charlie Egan (Jun 26)