Snort mailing list archives
What wins? TCP headers or packet contents?
From: John Sage <jsage () finchhaven com>
Date: Tue, 10 Sep 2002 22:09:40 -0700
Let me bring the question up to the top:
So the question for the snort list is:
What wins:
TCP header stuff: i.e. the destination port,
or,
Packet contents stuff: i.e. a hex series within the payload of a packet, but with no match on destination port?
<snip> Executive summary: Twice (once real-time, once on replay against a binary log file) I have packets matching an rpc.rules by content (a hex sequence) but not by the destination port stated in the rule. - John ----- Forwarded message from John Sage <jsage () finchhaven com> ----- Date: Tue, 10 Sep 2002 22:01:55 -0700 From: John Sage <jsage () finchhaven com> To: "Smith, Donald " <Donald.Smith () foo bar> Subject: Re: [LOGS] 09/06-09/02 - 72 hour ACID summary User-Agent: Mutt/1.2.5i Donald: On Tue, Sep 10, 2002 at 09:12:08PM -0600, Smith, Donald wrote:
Ok what version of snort and what rules? This is wrong very wrong, if its fixed I dont care. If its still broke it needs to be fixed:-) Thanks
Various spec's: [toot@sparky /storage/snort/old_snorts/090802]# snort -V -*> Snort! <*- Version 1.8.7 (Build 128) By Martin Roesch (roesch () sourcefire com, www.snort.org) [root@sparky /storage/snort/old_snorts/090802]# [toot@sparky /usr/local/snort-rules]# grep /usr/local/snort-rules/rstat * rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278; rev:3;) [toot@sparky /usr/local/snort-rules]# more rpc.rules # (C) Copyright 2001, Martin Roesch, Brian Caswell, et al. All rights reserved. # $Id: rpc.rules,v 1.21.2.9 2002/06/05 15:16:21 cazz Exp $ #---------- # RPC RULES #---------- <snip> [toot@sparky /]# tcpdump -V tcpdump version 3.6 libpcap version 0.6 Usage: tcpdump [-adeflnNOpqStuvxX] [-c count] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] which is identical to my firewall box... Check out what happens when I replay the binary snort log for that time period against my snort187check script, which is identical to my firewall snort configuration except that it runs against *all* rules: Again, we get: <snip> [**] [1:1278:3] RPC rstatd query [**] [Classification: Attempted Information Leak] [Priority: 2] 09/08/02-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498 TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE9A99172 Ack: 0xE9926FEA Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1557233190 427655814 [Xref => http://www.whitehats.com/info/IDS9] <snip> which is this packet, by timestamp, and which I am certain is a portion of a gzipped file: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498 TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE9A99172 Ack: 0xE9926FEA Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1557233190 427655814 0x0000: 45 00 05 DC FA ED 40 00 31 06 4A BA 3F 64 2F 2D E.....@.1.J.?d/- 0x0010: 0C 52 83 91 00 50 F8 0A E9 A9 91 72 E9 92 6F EA .R...P.....r..o. 0x0020: 80 10 19 20 DD C3 00 00 01 01 08 0A 5C D1 7E 26 ... ........\.~& 0x0030: 19 7D 82 86 5F 46 36 63 49 66 61 57 3A 68 32 61 .}.._F6cIfaW:h2a 0x0040: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 41 36 F|c7mHcIf2_.i@A6 0x0050: 75 3A 49 68 5F 46 36 63 49 66 61 57 3A 68 32 61 u:Ih_F6cIfaW:h2a 0x0060: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 48 7D F|c7mHcIf2_.i@H} 0x0070: 38 6A 79 38 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D 8jy8YjV(.Bzu::dm 0x0080: 49 68 64 3B 20 57 53 53 5F 47 57 3D 56 31 41 6C Ihd; WSS_GW=V1Al 0x0090: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 QAlQAlQAlQAlQAlQ 0x00A0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 AlQAlQAlQAlQAlQA 0x00B0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C lQAlQAlQAlQAlQAl 0x00C0: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 QAlQAlQAlQAlQAlQ 0x00D0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 AlQAlQAlQAlQAlQA 0x00E0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C lQAlQAlQAlQAlQAl 0x00F0: 51 41 6C 51 7A 25 72 42 51 25 5E 25 72 40 69 3B QAlQz%rBQ%^%r@i; 0x0100: 20 43 54 47 3D 31 30 32 35 31 39 31 39 31 39 0D CTG=1025191919. 0x0110: 0A 0D 47 3D 1B 3D 58 0D 02 00 9A 05 00 00 9A 05 ..G=.=X......... 0x0120: 00 00 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00 .......3....&... 0x0130: 45 00 05 8C EB 04 40 00 73 06 FC 52 CC 11 72 09 E.....@.s..R..r. 0x0140: 2E 05 B4 FA 00 50 F9 C1 B3 D2 78 9D 00 01 65 80 .....P....x...e. 0x0150: 50 10 40 B0 46 75 00 00 86 A2 00 00 00 02 00 00 P.@.Fu.......... 0x0160: 00 00 00 00 00 01 00 00 00 96 00 00 00 00 00 00 ................ 0x0170: 00 96 00 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@.......... 0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x0190: 00 00 00 00 00 00 00 00 00 00 02 00 01 86 A1 00 ................ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ <snip> The offset seems different, but only because we have IP and TCP headers, above. Original post:
09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498 TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xE9A99172 Ack: 0xE9926FEA Win: 0x1920 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1557233190 427655814 5F 46 36 63 49 66 61 57 3A 68 32 61 46 7C 63 37 _F6cIfaW:h2aF|c7 6D 48 63 49 66 32 5F 2E 69 40 41 36 75 3A 49 68 mHcIf2_.i@A6u:Ih 5F 46 36 63 49 66 61 57 3A 68 32 61 46 7C 63 37 _F6cIfaW:h2aF|c7 6D 48 63 49 66 32 5F 2E 69 40 48 7D 38 6A 79 38 mHcIf2_.i@H}8jy8 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D 49 68 64 3B YjV(.Bzu::dmIhd; 20 57 53 53 5F 47 57 3D 56 31 41 6C 51 41 6C 51 WSS_GW=V1AlQAlQ 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 AlQAlQAlQAlQAlQA 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C lQAlQAlQAlQAlQAl 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 QAlQAlQAlQAlQAlQ 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 AlQAlQAlQAlQAlQA 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C lQAlQAlQAlQAlQAl 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 QAlQAlQAlQAlQAlQ 7A 25 72 42 51 25 5E 25 72 40 69 3B 20 43 54 47 z%rBQ%^%r@i; CTG 3D 31 30 32 35 31 39 31 39 31 39 0D 0A 0D 47 3D =1025191919...G= 1B 3D 58 0D 02 00 9A 05 00 00 9A 05 00 00 00 00 .=X............. 0C 04 B2 33 00 03 E3 D9 26 C0 08 00 45 00 05 8C ...3....&...E... EB 04 40 00 73 06 FC 52 CC 11 72 09 2E 05 B4 FA ..@.s..R..r..... 00 50 F9 C1 B3 D2 78 9D 00 01 65 80 50 10 40 B0 .P....x...e.P.@. 46 75 00 00 86 A2 00 00 00 02 00 00 00 00 00 00 Fu.............. 00 01 00 00 00 96 00 00 00 00 00 00 00 96 00 00 ................ 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 02 00 01 86 A1 00 00 00 02 00 ................ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ <snip>
So the question for the snort list is: What wins: TCP header stuff: i.e. the destination port, or, Packet contents stuff: i.e. a hex series within the payload of a packet, but with no match on destination port? heh.. I hate it when this happens. - John -- "Obviously, we do not want to leave zombies around." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ----- End forwarded message ----- ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What wins? TCP headers or packet contents? John Sage (Sep 10)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: What wins? TCP headers or packet contents? Chris Green (Sep 12)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 14)
- Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)