Snort mailing list archives

RE: Curious "Tagged Packet" alerts in ACID

From: "Joe Patterson" <jpatterson () asgardgroup com>
Date: Sat, 1 Jan 2005 01:22:43 -0500

It's a tagged packet.  It's got a sid of 1, but a generator ID of 2.  Check
your rulebase for any rule with the "tag:" keyword.  For instance, I note in
a fairly recent version of rules, there is a rule in netbios.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote
Activation bind attempt"; flow:to_server,established; content:"|05|";
within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative;
content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16;
distance:29; tag:session,5,packets; reference:bugtraq,8234;
reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605;
reference:cve,2003-0715;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx;
classtype:attempted-admin; reference:nessus,11835; reference:nessus,11798;
sid:2251; rev:13;)

Note the part where it says "tag:session,5,packets;"  This means that when
snort sees this alert, it should "tag" the next 5 packets in the session
(session being those packets with the same or mirror image ip addresses and
tcp ports)  Those tagged packets are recorded in the snort output as an
event with generator ID 2 and signature ID 1.  There's no particularly
simple way (that I'm aware of) in ACID to associate the tagged packets with
the event that caused them to be tagged.  It's something you have to do
manually be checking for events with the same ip addresses and tcp ports.

reference:

http://www.snort.org/docs/snort_manual/node21.html#SECTION004750000000000000
00

-Joe

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jeff Kell
Sent: Friday, December 31, 2004 8:45 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Curious "Tagged Packet" alerts in ACID

I am getting a rather high (top 5) number of alerts showing up in ACID
displaying as simply "Tagged Packet" and having an sid=1, e.g.:

[snort] Tagged Packet   unclassified   7118 (24%)   1   2   2

2004-12-31 18:02:59   2004-12-31 19:27:17

The URL given for reference is simply:
    http://www.snort.org/snort-db/sid.html?sid=1

Here is a sample whole formatted alert:

Generated by ACID v0.9.6b23 on Fri, 31 Dec 2004 20:34:30 -0500

------------------------------------------------------------------
------------

#(1 - 805067) [2004-12-31 18:47:28] [snort/1]  Tagged Packet
IPv4: 64.12.165.56 -> 172.17.128.101
      hlen=5 TOS=0 dlen=152 ID=47551 flags=0 offset=0 TTL=51

chksum=31717

TCP:  port=7012 -> dport: 4618  flags=***AP*** seq=1474874013
      ack=1336104986 off=5 res=0 win=5840 urp=0 chksum=2798
Payload:  length = 112

000 : 3A 4C 6F 75 69 73 61 21 4C 6F 75 69 73 61 40 43   :Louisa!Louisa@C
010 : 42 35 45 36 43 30 30 2E 38 33 42 30 31 38 37 31   B5E6C00.83B01871
020 : 2E 42 36 44 45 36 36 34 39 2E 49 50 20 50 52 49   .B6DE6649.IP PRI
030 : 56 4D 53 47 20 23 65 6E 67 6C 69 73 68 20 3A 6E   VMSG #english :n
040 : 6F 62 6F 64 79 20 77 69 6C 6C 20 67 6F 20 6F 75   obody will go ou
050 : 74 20 74 6F 20 63 65 6C 65 62 72 61 74 65 20 74   t to celebrate t
060 : 68 65 20 6E 65 77 20 79 65 61 72 3F 3F 0D 0A 00   he new year??...


Where is this coming from?  I can't find a rule, only a mapping:

[root@aardvark snort]# grep Tagged ./*
./gen-msg.map:2 || 1 || tag: Tagged Packet


This is snort 2.2.0 Build 30 with freshly oinkmaster'ed rulesets from:

    www.snort.org/dl/rules/snortrules-stable.tar.gz and
    www.bleedingsnort.com/bleeding.rules.tar.gz

These seemed to start about the time I added the bleedingsnort rules,
but this may just be a coincidence.

Jeff


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Curious "Tagged Packet" alerts in ACID Jeff Kell (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Joe Patterson (Dec 31)
- RE: Curious "Tagged Packet" alerts in ACID Eric Hines (Jan 01)
- Re: Curious "Tagged Packet" alerts in ACID Frank Knobbe (Jan 01)