Home page logo
/

snort logo Snort mailing list archives

More packet drops
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 15 Dec 2010 09:46:16 -0700

Hey Team,

 

I know I hit this a fair amount, but I have been seeing this more and
more...observe the following.

 

From 08:03:30 to 08:49:18 I have in my alert log 24 events:

 

08:03:30  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:60203

08:07:18  [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:61378 -> 207.170.210.162:53

08:07:20  [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:53058 -> 207.170.210.162:53

08:07:23  [1:2011409:2] ET DNS DNS Query for Suspicious .co.cc Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:50024 -> 207.170.210.162:53

08:08:33  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 66.77.124.48:80 -> 10.21.0.16:60940

08:13:23  [1:17400:1] WEB-CLIENT rename of JavaScript unescape function
- likely malware obfuscation [**] [Classification: Attempted User
Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748

08:13:23  [1:17400:1] WEB-CLIENT rename of JavaScript unescape function
- likely malware obfuscation [**] [Classification: Attempted User
Privilege Gain] [Priority: 1] {TCP} 96.7.21.50:80 -> 10.21.0.16:61748

08:13:54  [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
10.21.0.16:61924 -> 64.55.39.56:80

08:18:42  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:62691

08:21:20  [1:7033:2] POLICY GoToMyPC local service running [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.10.0.44:1110 -> 216.115.208.199:8200

08:22:33  [1:7033:2] POLICY GoToMyPC local service running [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.10.0.56:1103 -> 216.115.208.199:8200

08:23:48  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.189:80 -> 10.21.0.16:63602

08:25:46  [1:2010882:3] ET POLICY .pdf File Containing Javascript [**]
[Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 ->
10.21.0.16:64089

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:39:06  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:2356

08:39:14  [1:2010784:3] ET POLICY Facebook Chat (send message) [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.21.0.16:2391 -> 66.220.146.32:80

08:39:54  [1:15306:5] WEB-CLIENT Portable Executable binary file
transfer [**] [Classification: Misc activity] [Priority: 3] {TCP}
206.169.246.169:80 -> 10.21.0.16:2557

08:43:09  [1:2011411:2] ET DNS DNS Query for Suspicious .co.kr Domain
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
10.21.0.8:61942 -> 207.170.210.162:53

08:44:06  [1:2011582:3] ET POLICY Vulnerable Java Version 1.6.x Detected
[**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
10.21.0.16:3293 -> 206.169.246.137:80

08:44:12  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3302

08:49:18  [1:15362:2] WEB-CLIENT obfuscated javascript excessive
fromCharCode - potential attack [**] [Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:3745

 

Yet in my pcap file I see only 18:

 

reading from file internettcpdump.pcap.1292425386, link-type EN10MB
(Ethernet)

08:03:30.305344 IP 64.210.194.188.80 > 10.21.0.16.60203: Flags [.], ack
282797950, win 11792, length 1400

08:07:18.325312 IP 10.21.0.8.61378 > 207.170.210.162.53: 57440+ NS?
co.cc. (23)

08:07:20.324161 IP 10.21.0.8.53058 > 207.170.210.162.53: 39002+ A?
roozzy.co.cc. (30)

08:07:23.203946 IP 10.21.0.8.50024 > 207.170.210.162.53: 3064+ A?
co.cc.multi.surbl.org. (39)

08:08:33.344711 IP 66.77.124.48.80 > 10.21.0.16.60940: Flags [.], ack
267700243, win 8168, length 1400

08:13:23.161052 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack
2940291853, win 6432, length 1400

08:13:23.168051 IP 96.7.21.50.80 > 10.21.0.16.61748: Flags [.], ack 1,
win 6432, length 1400

08:13:54.536707 IP 10.21.0.16.61924 > 64.55.39.56.80: Flags [P.], ack
2352821962, win 65535, length 293

08:18:42.335202 IP 64.210.194.189.80 > 10.21.0.16.62691: Flags [.], ack
2174948125, win 7504, length 1400

08:21:20.958353 IP 10.10.0.44.1110 > 216.115.208.199.8200: Flags [P.],
ack 3353747836, win 65535, length 39

08:22:33.467936 IP 10.10.0.56.1103 > 216.115.208.199.8200: Flags [P.],
ack 1853793984, win 65535, length 39

08:23:48.894301 IP 64.210.194.189.80 > 10.21.0.16.63602: Flags [.], ack
1977407693, win 7504, length 1400

08:39:06.205770 IP 64.210.194.188.80 > 10.21.0.16.2356: Flags [.], ack
195376762, win 11792, length 1400

08:39:54.189185 IP 206.169.246.169.80 > 10.21.0.16.2557: Flags [.], ack
2163517595, win 7504, length 1400

08:43:09.564591 IP 10.21.0.8.61942 > 207.170.210.162.53: 46222+ A?
ns.igroupnet.co.kr. (36)

08:44:06.541333 IP 10.21.0.16.3293 > 206.169.246.137.80: Flags [P.], ack
4050879426, win 65535, length 258

08:44:12.610875 IP 64.210.194.188.80 > 10.21.0.16.3302: Flags [.], ack
239480599, win 11792, length 1400

08:49:18.396033 IP 64.210.194.188.80 > 10.21.0.16.3745: Flags [.], ack
1085111822, win 9648, length 1400

 

The six dropped items were:

 

08:25:46  [1:2010882:3] ET POLICY .pdf File Containing Javascript [**]
[Classification: Misc activity] [Priority: 3] {TCP} 129.42.42.136:80 ->
10.21.0.16:64089

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213004:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Type [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:35:58  [1:15213009:1] ET WEB_CLIENT PDF Name Representation
Obfuscation of /Pages [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 173.203.13.187:80 -> 10.21.0.16:1942

08:39:14  [1:2010784:3] ET POLICY Facebook Chat (send message) [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1]
{TCP} 10.21.0.16:2391 -> 66.220.146.32:80

 

Here's the rule file entries:

 

emerging-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET POLICY Facebook Chat (send message)";
flow:established,to_server; content:"POST"; http_method;
content:"/ajax/chat/send.php"; http_uri; content:"facebook.com";
http_header; classtype:policy-violation;
reference:url,doc.emergingthreats.net/2010784;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL
ICY_Facebook_Chat; sid:2010784; rev:3;)

 

emerging-policy.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET
any (msg:"ET POLICY .pdf File Containing Javascript";
flow:established,to_client; file_data; content:"PDF-"; nocase;
depth:300; content:"/Javascript"; nocase; distance:0;
classtype:misc-activity; reference:url,doc.emergingthreats.net/2010882;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POL
ICY_PDF; sid:2010882; rev:3;)

 

pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
WEB_CLIENT PDF Name Representation Obfuscation of /Type";
flow:established,to_client; content:"PDF-"; depth:300; content:"/";
distance:0; content:!"Type"; within:4; content:"#"; within:11;
pcre:"/\x2F(T|#54)(y|#79)(p|#70)(e|#65)/i"; classtype:bad-unknown;
reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way
s/; sid:15213004; rev:1;)

 

pdf.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
WEB_CLIENT PDF Name Representation Obfuscation of /Pages";
flow:established,to_client; content:"PDF-"; depth:300; content:"/";
distance:0; content:!"Pages"; within:5; content:"#"; within:13;
pcre:"/\x2F(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/i";
classtype:bad-unknown;
reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-way
s/; sid:15213009; rev:1;)

 

Pertinant log entires in snort.conf:

config event_queue: max_queue 8 log 3 order_events content_length

output log_tcpdump: internettcpdump.pcap

 

The setup is a port in monitor mode on a gig switch, plugged into a USB
nic on the snort box

Switch stats:

GigabitEthernet1/0/13 is up, line protocol is down (monitoring)

  Hardware is Gigabit Ethernet

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 3/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 3w5d, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
5802

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 1205000 bits/sec, 287 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 0 multicast, 0 pause input

     0 input packets with dribble condition detected

     607863137 packets output, 336036843121 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out

 

Interface stats:

eth5      Link encap:Ethernet  HWaddr 00:50:ba:77:e9:b6

          UP BROADCAST RUNNING NOARP PROMISC MULTICAST  MTU:1500
Metric:1

          RX packets:269512998 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:3185031021 (2.9 GiB)  TX bytes:0 (0.0 B)

 

Considering that the packet makes it enough for snort to alert, but not
log some packets makes me think it's not a networking issue.  Can anyone
see anything that I'm glaringly missing?  The only common factor I can
see is that it always seems to be port 80.  Interestingly...none of the
below show up either:

 

12/02-10:25:54.702534  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:47438 -> 69.63.181.12:80

12/02-10:46:37.876655  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:52801 -> 66.220.149.25:80

12/02-11:01:38.081401  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:55967 -> 66.220.149.18:80

12/02-11:16:38.348142  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:59508 -> 66.220.147.11:80

12/02-11:35:12.894873  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:62891 -> 69.63.189.31:80

12/02-14:44:06.681124  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:30016 -> 66.220.149.25:80

12/02-14:59:09.955642  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:33798 -> 66.220.158.25:80

12/02-15:45:41.462082  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:43851 -> 66.220.149.11:80

12/02-15:54:20.088339  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:54:23.532080  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:05.482947  [**] [1:2010784:3] ET POLICY Facebook Chat (send
message) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:09.427649  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:09.823623  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:20.528820  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46021 -> 66.220.149.11:80

12/02-15:55:50.929549  [**] [1:2010785:4] ET POLICY Facebook Chat (buddy
list) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:46372 -> 69.63.189.11:80

12/15-08:39:14.437154  [**] [1:2010784:3] ET POLICY Facebook Chat (send
message) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:2391 -> 66.220.146.32:80

12/15-09:40:01.948657  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:12796 -> 66.220.158.18:80

 

Thank you.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

<<winmail.dat>>

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]