[Snort-users] RE: [Snort-sigs] signature doesn't match
This is a discussion on [Snort-users] RE: [Snort-sigs] signature doesn't match within the Snort forums, part of the System Security and Security Related category; I wasn't paying attention, sorry. I believe that the content keyword only looks at the data payload, not the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-18-2004
|
|||
|
|||
[Snort-users] RE: [Snort-sigs] signature doesn't match
I wasn't paying attention, sorry. I believe that the content keyword
only looks at the data payload, not the MAC/IP/Port Information and this would be why the rule is not alerting. -----Original Message----- From: snort-sigs-admin@lists.sourceforge.net [mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Alexandru Balan Sent: Friday, June 18, 2004 8:48 AM To: snort-sigs@lists.sourceforge.net Subject: RE: [Snort-sigs] signature doesn't match Thanks but it still doesn't work i even tried leaving the rule like..=20 alert tcp any any -> any 445 (msg:"445 worm"; content:"|00 0E 83 63 FD 80 08 00 45 1E|"; classtype:attempted-recon; sid:2000001;) and it still doesn't match. Curious enough, when i try content with only "|00 0E|" or "|83 63|" or other such groups it matches.=20 Don't shoot. I'm a newbie at writing rules.=20 -- Jay On Fri, 2004-06-18 at 08:26 -0500, Joshua Berry wrote: > Your rule looks for established connections and these alerts are session > initiation attempts (SYN only). Instead of using > flow:to_server,established, try using flags:S >=20 > -----Original Message----- > From: snort-sigs-admin@lists.sourceforge.net > [mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Alexandru > Balan > Sent: Friday, June 18, 2004 6:43 AM > To: snort-sigs@lists.sourceforge.net > Subject: [Snort-sigs] signature doesn't match >=20 >=20 > Hello, > My problem follows, > I run snort on a machine bridged between a server pool and their > gateway. I've been sniffing packets using snort in order to catch worms, > botnets, scans, etc..=20 > Well.. let's say i catch this on port 445... >=20 > [root@kali root]# snort -v -d -e -I -X -i br0 dst net y.y.y.0/19 and dst > port 445 > [snip] > Version 2.1.3 (Build 27) > By Martin Roesch (roesch@sourcefire.com, www.snort.org) > 06/18-14:36:19.492129 0:E:83:63:FD:80 -> 0:4:76:95:18:D9 type:0x800 > len:0x3E > x.x.x.x:1805 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:31183 IpLen:20 > DgmLen:48 DF > ******S* Seq: 0xFB469360 Ack: 0x0 Win: 0xFFFF TcpLen: 28 > TCP Options (4) =3D> MSS: 1420 NOP NOP SackOK > 0x0000: 00 04 76 95 18 D9 00 0E 83 63 FD 80 08 00 45 > 1E ..v......c....E. > 0x0010: 00 30 79 CF 40 00 76 06 1B 78 50 76 6E 48 50 > 56 .0y.@.v..xPvnHPV > 0x0020: 60 4E 07 0D 01 BD FB 46 93 60 00 00 00 00 70 02 > `N.....F.`....p. > 0x0030: FF FF 7C 73 00 00 02 04 05 8C 01 01 04 02 ...|s.......... >=20 > =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D= +=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+ > =3D+ >=20 > 06/18-14:36:19.987047 0:E:83:63:FD:80 -> 0:D:60:19:D6:C8 type:0x800 > len:0x3E > x.x.x.x:3710 -> y.y.y.y:445 TCP TTL:118 TOS:0x1E ID:7853 IpLen:20 > DgmLen:48 DF > ******S* Seq: 0x61612509 Ack: 0x0 Win: 0x4000 TcpLen: 28 > TCP Options (4) =3D> MSS: 1460 NOP NOP SackOK > 0x0000: 00 0D 60 19 D6 C8 00 0E 83 63 FD 80 08 00 45 > 1E ..`......c....E. > 0x0010: 00 30 1E AD 40 00 76 06 50 C0 D9 2B 01 96 50 > 56 .0..@.v.P..+..PV > 0x0020: 6A 25 0E 7E 01 BD 61 61 25 09 00 00 00 00 70 02 > j%.~..aa%.....p. > 0x0030: 40 00 17 3D 00 00 02 04 05 B4 01 01 04 02 @..=3D.......... >=20 > And write the following rule..=20 > alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"445 worm"; > flow:to_server,established; content:"|00 0E 83 63 FD 80 08 00 45 1E|"; > depth:20; classtype:attempted-recon; priority:2; sid:2000001;) >=20 >=20 > At this point, i should have a few hundred (at least) false > positives > but for a reason that eludes me the rule doesn't match anything although > if i sniff grepping for "00 0E 83 63 FD 80 08 00 45 1E" my console gets > flooded with matches.=20 >=20 > What is wrong with my rule?=20 >=20 > -- > Jay ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
