Snort mailing list archives

Rule triggers on every request

From: Michael Kjeldsen <valvet () gmail com>
Date: Thu, 14 Jan 2016 23:01:18 +0100

Hi guys  

First time Snort user, not doing too well. I’m using the community rules (all of them), but this one rule is causing a 
lot of trouble (false positives):

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP info2www access"; 
flow:to_server,established; content:"/info2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; 
reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21;)

I’ve isolated it by removing all other rules and placing this one in local.rules

After a complete Nikto scan against the host, I have 2000+ alerts.

Screenshot of content that’s being matched: http://imgur.com/sLlQlEC

Example data from apache's access log:

178.155.227.210 - - [14/Jan/2016:22:30:12 +0000] "GET /phorum/admin/stats.php HTTP/1.1" 404 400 "-" "Mozilla/5.00 
(Nikto/2.1.5) (Evasions:None) (Test:001142)”

Example data (also a match) from u2spewfoo:

Packet
sensor id: 0 event id: 1 event second: 1452810610
packet second: 1452810612 packet microsecond: 869402
linktype: 1 packet_length: 219
[    0] 00 16 3E 6C AE FE 88 A2 5E 97 7E 9B 08 00 45 00  ..>l....^.~...E.
[   16] 00 CD 37 D3 40 00 32 06 71 38 B2 9B E3 D2 B9 1F  ..7.@.2.q8......
[   32] 4F 92 C3 64 00 50 1D 86 EF E7 23 A2 F7 12 80 18  O..d.P....#.....
[   48] 10 00 82 DB 00 00 01 01 08 0A 06 92 90 2B 15 D2  .............+..
[   64] 93 7A 47 45 54 20 2F 70 68 6F 72 75 6D 2F 61 64  .zGET /phorum/ad
[   80] 6D 69 6E 2F 73 74 61 74 73 2E 70 68 70 20 48 54  min/stats.php HT
[   96] 54 50 2F 31 2E 31 0D 0A 43 6F 6E 6E 65 63 74 69  TP/1.1..Connecti
[  112] 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A  on: Keep-Alive..
[  128] 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
[  144] 6C 6C 61 2F 35 2E 30 30 20 28 4E 69 6B 74 6F 2F  lla/5.00 (Nikto/
[  160] 32 2E 31 2E 35 29 20 28 45 76 61 73 69 6F 6E 73  2.1.5) (Evasions
[  176] 3A 4E 6F 6E 65 29 20 28 54 65 73 74 3A 30 30 31  :None) (Test:001
[  192] 31 34 32 29 0D 0A 48 6F 73 74 3A 20 74 68 65 66  142)..Host: thef
[  208] 6F 72 63 65 2E 64 6B 0D 0A 0D 0A                 orce.dk….


My configuration: http://pastebin.com/zsXWqgJ9  

Thanks

--  
Michael Kjeldsen
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Rule triggers on every request Michael Kjeldsen (Jan 14)