Snort mailing list archives
RE: [Snort-sigs] signature doesn't match
From: "Joshua Berry" <jberry () PENSON COM>
Date: Fri, 18 Jun 2004 09:04:21 -0500
I wasn't paying attention, sorry. I believe that the content keyword only looks at the data payload, not the MAC/IP/Port Information and this would be why the rule is not alerting. -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Alexandru Balan Sent: Friday, June 18, 2004 8:48 AM To: snort-sigs () lists sourceforge net Subject: RE: [Snort-sigs] signature doesn't match Thanks but it still doesn't work i even tried leaving the rule like.. alert tcp any any -> any 445 (msg:"445 worm"; content:"|00 0E 83 63 FD 80 08 00 45 1E|"; classtype:attempted-recon; sid:2000001;) and it still doesn't match. Curious enough, when i try content with only "|00 0E|" or "|83 63|" or other such groups it matches. Don't shoot. I'm a newbie at writing rules. -- Jay On Fri, 2004-06-18 at 08:26 -0500, Joshua Berry wrote:
Your rule looks for established connections and these alerts are
session
initiation attempts (SYN only). Instead of using flow:to_server,established, try using flags:S -----Original Message----- From: snort-sigs-admin () lists sourceforge net [mailto:snort-sigs-admin () lists sourceforge net] On Behalf Of Alexandru Balan Sent: Friday, June 18, 2004 6:43 AM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] signature doesn't match Hello, My problem follows, I run snort on a machine bridged between a server pool and their gateway. I've been sniffing packets using snort in order to catch
worms,
botnets, scans, etc..
Well.. let's say i catch this on port 445...
[root@kali root]# snort -v -d -e -I -X -i br0 dst net y.y.y.0/19 and
dst
port 445 [snip] Version 2.1.3 (Build 27) By Martin Roesch (roesch () sourcefire com, www.snort.org) 06/18-14:36:19.492129 0:E:83:63:FD:80 -> 0:4:76:95:18:D9 type:0x800 len:0x3E x.x.x.x:1805 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:31183 IpLen:20 DgmLen:48 DF ******S* Seq: 0xFB469360 Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1420 NOP NOP SackOK 0x0000: 00 04 76 95 18 D9 00 0E 83 63 FD 80 08 00 45 1E ..v......c....E. 0x0010: 00 30 79 CF 40 00 76 06 1B 78 50 76 6E 48 50 56 .0y.@.v..xPvnHPV 0x0020: 60 4E 07 0D 01 BD FB 46 93 60 00 00 00 00 70 02 `N.....F.`....p. 0x0030: FF FF 7C 73 00 00 02 04 05 8C 01 01 04 02
..|s..........
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 06/18-14:36:19.987047 0:E:83:63:FD:80 -> 0:D:60:19:D6:C8 type:0x800 len:0x3E x.x.x.x:3710 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:7853 IpLen:20 DgmLen:48 DF ******S* Seq: 0x61612509 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 0x0000: 00 0D 60 19 D6 C8 00 0E 83 63 FD 80 08 00 45 1E ..`......c....E. 0x0010: 00 30 1E AD 40 00 76 06 50 C0 D9 2B 01 96 50 56 .0..@.v.P..+..PV 0x0020: 6A 25 0E 7E 01 BD 61 61 25 09 00 00 00 00 70 02 j%.~..aa%.....p. 0x0030: 40 00 17 3D 00 00 02 04 05 B4 01 01 04 02
@..=..........
And write the following rule..
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"445 worm";
flow:to_server,established; content:"|00 0E 83 63 FD 80 08 00 45 1E|";
depth:20; classtype:attempted-recon; priority:2; sid:2000001;)
At this point, i should have a few hundred (at least) false
positives
but for a reason that eludes me the rule doesn't match anything
although
if i sniff grepping for "00 0E 83 63 FD 80 08 00 45 1E" my console
gets
flooded with matches.
What is wrong with my rule?
--
Jay
------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] signature doesn't match Joshua Berry (Jun 18)