Snort mailing list archives

Re: Can't suppress Tagged Packet

From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 26 May 2006 10:20:23 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heh.  I wrote those rules a while back before I came to work for
Sourcefire.  At the time botnets were all over the place and there was
really no way to detect how they were getting in, so I wrote them with
the theory that all botnets were IRC at the time.

(The rules are basically the same at the Snort.org rules)

The tag was included in order to do exactly that, track botnets.  I used
to log in binary mode, so when a botnet was on the network, I could
reconstruct the whole session.  Since IRC was not allowed on our
networks (I was .mil), it was easy to track down botnets (plus anyone
that was using IRC was in violation, so we got them too). However, on a
university network, this won't work, as IRC is allowed.

I would either A) remove the tag from the rule, or B) suppress actual
IRC servers based off the server IP.  Since B is alot of work, A may be
faster.

tag 'alerts' are logged to db because they are under the "log" directive
as opposed to the "alert" directive.  Therefore they go to your db, as
the actual rule that triggered it goes to the alert file.

Joel

Rob Ward wrote:

--On 26 May 2006 09:40 -0400 Joel Esler <joel.esler () sourcefire com> wrote:

Suppose you can copy and paste (take out the IP's) the alert you are
getting?

Joel


Strange - these aren't appearing in my sensors alert files only the
database and seem to be related to the following alerts triggered by a
Bleeding Snort Rule which DO appear in the alert file:

[**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
non-std port [**] [Classification: A Network Trojan was detected]
[Priority: 1]
05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800
len:0x6A
X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7  Ack: 0x769ADDBF  Win:
0xFC00  TcpLen: 20


On investigation the majority of these are false positives but some can
be linked to Botnets.

The corresponding Tagged Packet alert that's in the database is:

Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100

-------------------------------------------------------------------------
-----
# (6 - 221802) [2006-05-26 14:54:24] [snort/1]  Tagged Packet
IPv4: X.X.X.X -> 85.158.9.6
      hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
TCP:  port=2353 -> dport: 8000  flags=***AP*** seq=514436775
      ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
Payload:  length = 52

000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65   PRIVMSG #uk_live
010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A   rpool_cruising :
020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F   ANY1 WANNA CHAT?
030 : 3F 3F 0D 0A                                       ??..


Thanks

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdw6nKbCSyXHckt4RAqbXAJ9Ts4YDlhyxiIAeLNcDKHOsXJNIyQCdHGtU
lPfLiZTK0PRib3UTp8YQZSY=
=zULI
-----END PGP SIGNATURE-----


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Can't suppress Tagged Packet Rob Ward (May 26)
- Re: Can't suppress Tagged Packet Dirk Geschke (May 26)
  - Re: Can't suppress Tagged Packet Rob Ward (May 26)
    - Re: Can't suppress Tagged Packet Joel Esler (May 26)
    - Re: Can't suppress Tagged Packet Rob Ward (May 26)
    - Re: Can't suppress Tagged Packet Joel Esler (May 26)
    - Re: Can't suppress Tagged Packet Bamm Visscher (May 26)
    - Re: Can't suppress Tagged Packet Rob Ward (May 26)
  - Re: Can't suppress Tagged Packet gary douglas (May 26)