Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Newbie: Bot Detection Rule

From: Bob Van Cleef <vancleef () microunity com>
Date: Mon, 2 Jul 2001 11:38:51 -0700 (PDT)
On Fri, 22 Jun 2001, Vitaly Osipov wrote:


and regarding rules - i never understood what's the use of logging all
packets going to unusual ports etc. So let's say, I've received a UDP
packet to port 666 - what am I supposed to do? Complain? (ever heard
about spoofing - especially if it's UDP?). That's why i like snort DB
logging - the only thing I can do is to log all that garbage to a
database to dig it sometimes if something really nasty starts...


Especially when you are not sure what they are telling you, once they do
generate an alarm.

For example, see below:

The source system is a proxy server, running the old Firewalls Tool Kit.
About the only thing it forwards is HTML proxy requests... so I have no
clue, looking at this alert, as to why it would generate a connection
request to 212.30.210.6:6667

However, the proxy server did have these two log entries.

adsl2-6.simnet.is - - [01/Jul/2001:16:55:06 -0700] "CONNECT
212.30.210.6:6667 HTTP/1.0" 503 265
adsl2-6.simnet.is - - [01/Jul/2001:16:57:25 -0700] "POST
http://212.30.210.6:6667/some.cgi HTTP/1.0" 200 58

Interesting.... but not very informative.

Bob

[**] IRC Bot Connection [**]
07/01-16:55:19.091810 192.86.6.23:2893 -> 212.30.210.6:6667
TCP TTL:60 TOS:0x0 ID:12232 IpLen:20 DgmLen:40
******S* Seq: 0x296B8400  Ack: 0x0  Win: 0x1000  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IRC Bot Connection [**]
07/01-16:55:19.267947 192.86.6.23:2893 -> 212.30.210.6:6667
TCP TTL:60 TOS:0x0 ID:12234 IpLen:20 DgmLen:40
***A**** Seq: 0x296B8401  Ack: 0x3DC6A253  Win: 0x1000  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IRC Bot Connection [**]
07/01-16:55:19.269021 192.86.6.23:2893 -> 212.30.210.6:6667
TCP TTL:60 TOS:0x0 ID:12235 IpLen:20 DgmLen:92
***AP*** Seq: 0x296B8401  Ack: 0x3DC6A253  Win: 0x1000  TcpLen: 20
50 4F 53 54 20 2F 73 6F 6D 65 2E 63 67 69 20 48  POST /some.cgi H
54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 32  TTP/1.0..Host: 2
31 32 2E 33 30 2E 32 31 30 2E 36 3A 36 36 36 37  12.30.210.6:6667
0D 0A 0D 0A                                      ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IRC Bot Connection [**]
07/01-16:57:25.462115 192.86.6.23:2893 -> 212.30.210.6:6667
TCP TTL:60 TOS:0x0 ID:14539 IpLen:20 DgmLen:40
***A**** Seq: 0x296B8435  Ack: 0x3DC6A28F  Win: 0x1000  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IRC Bot Connection [**]
07/01-16:57:25.745070 192.86.6.23:2893 -> 212.30.210.6:6667
TCP TTL:60 TOS:0x0 ID:14541 IpLen:20 DgmLen:40
***A***F Seq: 0x296B8435  Ack: 0x3DC6A28F  Win: 0x1000  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: