Snort mailing list archives
Re: Alert from Internal Net as Attacker
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 12 Jan 2016 15:33:58 +0000
You may want to double check your variables.
If I create a rule like this
"alert tcp [127.0.0.0/8,!127.0.0.1] any -> any any (msg:"TEST!"; sid:1; )"
And play bi-directional traffic between 127.0.0.100 and 127.0.0.1 I only get alerts for 127.0.0.100 since I have
negated the 127.0.0.1 host.
[root@provare snort-2.9.7.6-build_285]# ./bin/snort -c etc/TEST.conf -r /tmp/TEST.pcap -Acmg -H -U -k none -q | grep
TEST
01/12-15:18:19.081436 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.205765 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.232068 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.260198 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.289323 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.311802 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.354348 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.379094 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.440109 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
[root@provare snort-2.9.7.6-build_285]# tcpdump -n -r /tmp/TEST.pcap
reading from file /tmp/TEST.pcap, link-type EN10MB (Ethernet)
10:18:19.081366 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [S], seq 4153064027, win 43690, options [mss
65495,sackOK,TS val 573579 ecr 0,nop,wscale 7], length 0
10:18:19.081436 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [S.], seq 2767000698, ack 4153064028, win 43690, options
[mss 65495,sackOK,TS val 573579 ecr 573579,nop,wscale 7], length 0
10:18:19.081484 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 573579 ecr
573579], length 0
10:18:19.179815 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [P.], seq 1:163, ack 1, win 342, options [nop,nop,TS val
573678 ecr 573579], length 162: HTTP: GET /tests/unescape-1-percent.html HTTP/1.1
10:18:19.205765 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [.], ack 163, win 350, options [nop,nop,TS val 573704 ecr
573678], length 0
10:18:19.232068 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [P.], seq 1:82, ack 163, win 350, options [nop,nop,TS val
573730 ecr 573678], length 81: HTTP: HTTP/1.1 200 OK
10:18:19.232185 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 82, win 342, options [nop,nop,TS val 573730 ecr
573730], length 0
10:18:19.260198 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [P.], seq 82:1530, ack 163, win 350, options [nop,nop,TS
val 573758 ecr 573730], length 1448: HTTP
10:18:19.260311 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 1530, win 1365, options [nop,nop,TS val 573758
ecr 573758], length 0
10:18:19.289323 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [P.], seq 1530:2978, ack 163, win 350, options [nop,nop,TS
val 573787 ecr 573758], length 1448: HTTP
10:18:19.289637 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 2978, win 2388, options [nop,nop,TS val 573788
ecr 573787], length 0
10:18:19.311802 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [P.], seq 2978:4426, ack 163, win 350, options [nop,nop,TS
val 573810 ecr 573788], length 1448: HTTP
10:18:19.312317 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 4426, win 3411, options [nop,nop,TS val 573810
ecr 573810], length 0
10:18:19.354348 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [P.], seq 4426:5874, ack 163, win 350, options [nop,nop,TS
val 573852 ecr 573810], length 1448: HTTP
10:18:19.354474 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 5874, win 3637, options [nop,nop,TS val 573852
ecr 573852], length 0
10:18:19.379094 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [P.], seq 5874:6129, ack 163, win 350, options [nop,nop,TS
val 573877 ecr 573852], length 255: HTTP
10:18:19.379261 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 6129, win 3637, options [nop,nop,TS val 573877
ecr 573877], length 0
10:18:19.425342 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [F.], seq 163, ack 6129, win 3637, options [nop,nop,TS val
573922 ecr 573877], length 0
10:18:19.440109 IP 127.0.0.100.http > 127.0.0.1.36474: Flags [F.], seq 6129, ack 164, win 350, options [nop,nop,TS val
573938 ecr 573922], length 0
10:18:19.440164 IP 127.0.0.1.36474 > 127.0.0.100.http: Flags [.], ack 6130, win 3637, options [nop,nop,TS val 573938
ecr 573938], length 0
If I remove the '!' then I get alerts from both hosts as sources
[root@provare snort-2.9.7.6-build_285]# ./bin/snort -c etc/TEST.conf -r /tmp/TEST.pcap -Acmg -H -U -k none -q | grep
TEST
01/12-15:18:19.081366 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.081436 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.081484 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.179815 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.205765 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.232068 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.232185 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.260198 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.260311 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.289323 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.289637 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.311802 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.312317 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.354348 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.354474 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.379094 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.379261 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.425342 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
01/12-15:18:19.440109 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.100:80 -> 127.0.0.1:36474
01/12-15:18:19.440164 [**] [1:1:0] TEST! [**] [Priority: 0] {TCP} 127.0.0.1:36474 -> 127.0.0.100:80
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com
From: Giuseppe Morici [mailto:giuseppe.morici () e-gate it]
Sent: Tuesday, January 12, 2016 9:45 AM
To: Al Lewis (allewi); snort-users () lists sourceforge net
Subject: R: Alert from Internal Net as Attacker
Hello,
yes of course , already did , the home net , and external net are configured property.
Distinti Saluti
Giuseppe Morici
Help Desk e-GATE s.r.l.
Uff.: +39 0112306001
Fax:+39 0112309130
Mobile:+39 3280389284
[cid:image001.png@01D14D23.D5CAD910]
www.e-gate.it<http://www.e-gate.it/>
www.e-gate.to.it<http://www.e-gate.to.it/>
The information contained in this e-mail message is attorney privileged and confidential information intended only for
the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you have received this communication in error,
please immediately notify us by telephone or e-mail.
Da: Al Lewis (allewi) [mailto:allewi () cisco com]
Inviato: martedì 12 gennaio 2016 15:33
A: Giuseppe Morici <giuseppe.morici () e-gate it<mailto:giuseppe.morici () e-gate it>>; snort-users () lists
sourceforge net<mailto:snort-users () lists sourceforge net>
Oggetto: RE: Alert from Internal Net as Attacker
Have you tried adding !10.0.10.100 to your HOME_NET or to the rule for that specific alert?
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Giuseppe Morici [mailto:giuseppe.morici () e-gate it]
Sent: Tuesday, January 12, 2016 8:25 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Alert from Internal Net as Attacker
Hello,
i've a question and hope that someone can give me some answer about.
There is a possibility of exlude alert when the "source" it's a range of ip or aliases?
The ip in source is an Internal net ip (of course is in whitelist and in Default list as home net) , infact the alert
pop up but don't go in blocked list cause the ip is whitelisted.
There is a possibility to exclude the alert only if source is internal net without disable the rules and let them to
work for "real" attak? (this is just for limite the spam in alert list)
Thanks for your help.
[cid:image002.png@01D14D23.D5CAD910]
Distinti Saluti
Giuseppe Morici
Help Desk e-GATE s.r.l.
Uff.: +39 0112306001
Fax:+39 0112309130
Mobile:+39 3280389284
[cid:image001.png@01D14D23.D5CAD910]
www.e-gate.it<http://www.e-gate.it/>
www.e-gate.to.it<http://www.e-gate.to.it/>
The information contained in this e-mail message is attorney privileged and confidential information intended only for
the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you have received this communication in error,
please immediately notify us by telephone or e-mail.
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alert from Internal Net as Attacker Giuseppe Morici (Jan 12)
- Re: Alert from Internal Net as Attacker Al Lewis (allewi) (Jan 12)
- R: Alert from Internal Net as Attacker Giuseppe Morici (Jan 12)
- Re: Alert from Internal Net as Attacker Al Lewis (allewi) (Jan 12)
- Re: Alert from Internal Net as Attacker Alan Gao (Jan 12)
- Re: Alert from Internal Net as Attacker Joel Esler (jesler) (Jan 12)
- Re: Alert from Internal Net as Attacker Joel Esler (jesler) (Jan 12)
- R: Alert from Internal Net as Attacker Giuseppe Morici (Jan 12)
- Re: Alert from Internal Net as Attacker Al Lewis (allewi) (Jan 12)