Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question regarding a rule

From: Charlie Egan <chas5873 () gmail com>
Date: Thu, 26 Jun 2014 15:27:00 +0100
That's confusing to me James, since when I take a hex dump of the .torrent
file, this is my output;

http://i60.tinypic.com/20usdpu.png

38 64 61 are the first bytes that appear, and I've checked the hex dump for
multiple torrent files and it seems to be consistent for all of them.

Should I be putting the content section of the rule as |3864 61| instead of
|38 64 61| ? Unfortunately I can't access my machine with Snort on at the
moment, but will give it a try when I get a chance.

Also could I ask how you got that output from the .pcap file?

Sorry still new to all of this, I appreciate the responses!

Cheers


On Wed, Jun 25, 2014 at 4:34 PM, James Lay <jlay () slave-tothe-box net> wrote:


On 2014-06-25 06:54, Charlie Egan wrote:


Appreciate it James,

Attached is the pcap file, hopefully thats correct - let me know if

there are any issues.

Cheers!

 On Wed, Jun 25, 2014 at 1:24 PM, James Lay <jlay () slave-tothe-box net
[6]> wrote:

 On Wed, 2014-06-25 at 13:10 +0100, Charlie Egan wrote:


 Hi James,




 Sorry a bit new to all of this - is a pcap file just a saved

Wireshark file so you can have a look at all of the packets?


Cheers

On Wed, Jun

 ames Lay <



lave-tothe-box.net" target


 he-box.net> wrote: On Tue, 2014-06-24 at 21:36 +0100, Charlie Egan

wrote:


ockquote type="CITE">

 other than specifying my $HOME_NET ip. I assumed they may be false

positives, but Im only downloading one torrent file to my desktop
when I run the test, so it doesnt make sense to me why 25 odd

alerts are popping up. The content of the rule is at the beginning
of the hex dump of the metafile, and |38 64 61| certainly doesnt

pop up again within the file.

Do you have any idea what could be causing false positives?

Cheers

If youd like to share a pcap of the file off list Ill take a look
at that and t


le youre trying.

James

 e>






------------------------------------------------------------
------------------


Open source business process management suite built on Java and

Eclipse


processes into business applications with Bonita BPM Community

Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 an

 http://p.sf.net/sfu/Bonitasoft [1]

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net [2]
https://lists.sourceforge.net/lists/listinfo/snort-sigs [3]
http://www.snort.org [4]

Please visit http://blog.snort.org [5] for the latest news about

Snort!





Indeed it is.

James





This packet capture does not seem to contain "38 64 61" in hex anywhere.

============================================================
===================
Run time for packet processing was 0.1815 seconds
Snort processed 38 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:           38
============================================================
===================
Memory usage summary:
  Total non-mmapped bytes (arena):       3940352
  Bytes in mapped regions (hblkhd):      17784832
  Total allocated space (uordblks):      2336640
  Total free space (fordblks):           1603712
  Topmost releasable block (keepcost):   132752
============================================================
===================
Packet I/O Totals:
   Received:           38
   Analyzed:           38 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
============================================================
===================
Breakdown by protocol (includes rebuilt packets):
        Eth:           39 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:           32 ( 82.051%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            1 (  2.564%)
        TCP:           31 ( 79.487%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
      EAPOL:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            7 ( 17.949%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            1 (  2.564%)
     S5 G 2:            0 (  0.000%)
      Total:           39
============================================================
===================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:           38 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
============================================================
===================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
============================================================
===================
Stream5 statistics:
            Total sessions: 1
              TCP sessions: 1
              UDP sessions: 0
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 1
TCP StreamTrackers Deleted: 1
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 21
     TCP Segments Released: 21
       TCP Rebuilt Packets: 4
         TCP Segments Used: 21
              TCP Discards: 0
                  TCP Gaps: 1
      UDP Sessions Created: 0
      UDP Sessions Deleted: 0
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 30
           UDP Port Filter
                  Filtered: 0
                 Inspected: 1
                   Tracked: 0
============================================================
===================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         0
    GET methods:                          1
    HTTP Request Headers extracted:       1
    HTTP Request Cookies extracted:       1
    Post parameters extracted:            0
    HTTP response Headers extracted:      1
    HTTP Response Cookies extracted:      0
    Unicode:                              0
    Double unicode:                       0
    Non-ASCII representable:              0
    Directory traversals:                 0
    Extra slashes ("//"):                 0
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              25
============================================================
===================
SMTP Preprocessor Statistics
  Total sessions                                    : 0
  Max concurrent sessions                           : 0
============================================================
===================
dcerpc2 Preprocessor Statistics
  Total sessions: 0
============================================================
===================
============================================================
===================
Reputation Preprocessor Statistics
  Total Memory Allocated: 2049212
============================================================
===================


James



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: