Snort mailing list archives
Rule triggers on every request
From: Michael Kjeldsen <valvet () gmail com>
Date: Thu, 14 Jan 2016 23:01:18 +0100
Hi guys First time Snort user, not doing too well. I’m using the community rules (all of them), but this one rule is causing a lot of trouble (false positives): alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; content:"/info2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21;) I’ve isolated it by removing all other rules and placing this one in local.rules After a complete Nikto scan against the host, I have 2000+ alerts. Screenshot of content that’s being matched: http://imgur.com/sLlQlEC Example data from apache's access log: 178.155.227.210 - - [14/Jan/2016:22:30:12 +0000] "GET /phorum/admin/stats.php HTTP/1.1" 404 400 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:001142)” Example data (also a match) from u2spewfoo: Packet sensor id: 0 event id: 1 event second: 1452810610 packet second: 1452810612 packet microsecond: 869402 linktype: 1 packet_length: 219 [ 0] 00 16 3E 6C AE FE 88 A2 5E 97 7E 9B 08 00 45 00 ..>l....^.~...E. [ 16] 00 CD 37 D3 40 00 32 06 71 38 B2 9B E3 D2 B9 1F ..7.@.2.q8...... [ 32] 4F 92 C3 64 00 50 1D 86 EF E7 23 A2 F7 12 80 18 O..d.P....#..... [ 48] 10 00 82 DB 00 00 01 01 08 0A 06 92 90 2B 15 D2 .............+.. [ 64] 93 7A 47 45 54 20 2F 70 68 6F 72 75 6D 2F 61 64 .zGET /phorum/ad [ 80] 6D 69 6E 2F 73 74 61 74 73 2E 70 68 70 20 48 54 min/stats.php HT [ 96] 54 50 2F 31 2E 31 0D 0A 43 6F 6E 6E 65 63 74 69 TP/1.1..Connecti [ 112] 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep-Alive.. [ 128] 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi [ 144] 6C 6C 61 2F 35 2E 30 30 20 28 4E 69 6B 74 6F 2F lla/5.00 (Nikto/ [ 160] 32 2E 31 2E 35 29 20 28 45 76 61 73 69 6F 6E 73 2.1.5) (Evasions [ 176] 3A 4E 6F 6E 65 29 20 28 54 65 73 74 3A 30 30 31 :None) (Test:001 [ 192] 31 34 32 29 0D 0A 48 6F 73 74 3A 20 74 68 65 66 142)..Host: thef [ 208] 6F 72 63 65 2E 64 6B 0D 0A 0D 0A orce.dk…. My configuration: http://pastebin.com/zsXWqgJ9 Thanks -- Michael Kjeldsen Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule triggers on every request Michael Kjeldsen (Jan 14)