Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Experimenting with TAG, question

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 14 Oct 2002 09:31:44 -0400
Looks like the tag rule captured those packets due to the 2nd packet setting the tag. 

     -Marty

On Sunday, October 13, 2002, at 10:23 PM, Rich Adamson wrote:
I've been experimenting with the TAG option as shown in the following rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, OpenSSL worm probe"; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; tag:host,4,packets,src; offset:0; depth:18; classtype:web-application-activity; sid:1881; rev:1;) 

The log entries below are the first that I've had that appear to be the
result of the tag option. It would appear the above rule logged the second entry in the log file entries shown below, but not sure if the TAG option 
actually created the next three packets (3rd, 4th, & 5th).

Can anyone comment?


<< Log entry for port 80 associated with above rule >>
10/13-06:11:15.757162 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800 len:0x42 218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56140 IpLen:20 DgmLen:52 DF 
***A**** Seq: 0x414F0097  Ack: 0x356DFE1A  Win: 0x16B0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 45669448 681081338
0x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00 ...]....^.'...E. 0x0010: 00 34 DB 4C 40 00 2F 06 AA 04 DA 3F 5C 0B CE DE .4.L@./....?\... 0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 10 .I...PAO..5m.... 0x0030: 16 B0 8F 3C 00 00 01 01 08 0A 02 B8 DC 48 28 98 ...<.........H(. 
0x0040: 79 FA                                            y.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+
[**] EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack [**] 10/13-06:11:15.764518 0:5:5E:2E:27:8D -> 0:A0:CC:5D:91:E0 type:0x800 len:0x54 218.63.92.11:4876 -> a.b.c.d:80 TCP TTL:47 TOS:0x0 ID:56141 IpLen:20 DgmLen:70 DF 
***AP*** Seq: 0x414F0097  Ack: 0x356DFE1A  Win: 0x16B0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 45669448 681081338
0x0000: 00 A0 CC 5D 91 E0 00 05 5E 2E 27 8D 08 00 45 00 ...]....^.'...E. 0x0010: 00 46 DB 4D 40 00 2F 06 A9 F1 DA 3F 5C 0B CE DE .F.M@./....?\... 0x0020: C1 49 13 0C 00 50 41 4F 00 97 35 6D FE 1A 80 18 .I...PAO..5m.... 0x0030: 16 B0 B0 81 00 00 01 01 08 0A 02 B8 DC 48 28 98 .............H(. 0x0040: 79 FA 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 y.GET / HTTP/1.1 
0x0050: 0D 0A 0D 0A                                      ....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+
10/13-06:11:15.764737 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x42 a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10377 IpLen:20 DgmLen:52 DF 
***A**** Seq: 0x356DFE1A  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 681081442 45669448
0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00 ..^.'....]....E. 0x0010: 00 34 28 89 40 00 40 06 4B C8 CE DE C1 49 DA 3F .4(.@.@.K....I.? 0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 10 \..P..5m..AO.... 0x0030: 7E DC 26 96 00 00 01 01 08 0A 28 98 7A 62 02 B8 ~.&.......(.zb.. 
0x0040: DC 48                                            .H
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+
10/13-06:11:15.766141 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x29D a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10378 IpLen:20 DgmLen:655 DF 
***AP*** Seq: 0x356DFE1A  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 681081442 45669448
0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00 ..^.'....]....E. 0x0010: 02 8F 28 8A 40 00 40 06 49 6C CE DE C1 49 DA 3F ..(.@.@.Il...I.? 0x0020: 5C 0B 00 50 13 0C 35 6D FE 1A 41 4F 00 A9 80 18 \..P..5m..AO.... 0x0030: 7E DC 49 26 00 00 01 01 08 0A 28 98 7A 62 02 B8 ~.I&......(.zb.. 0x0040: DC 48 48 54 54 50 2F 31 2E 31 20 34 30 30 20 42 .HHTTP/1.1 400 B 0x0050: 61 64 20 52 65 71 75 65 73 74 0D 0A 44 61 74 65 ad Request..Date 0x0060: 3A 20 53 75 6E 2C 20 31 33 20 4F 63 74 20 32 30 : Sun, 13 Oct 20 0x0070: 30 32 20 31 31 3A 31 32 3A 32 37 20 47 4D 54 0D 02 11:12:27 GMT. 0x0080: 0A 53 65 72 76 65 72 3A 20 41 70 61 63 68 65 2F .Server: Apache/ 0x0090: 31 2E 33 2E 31 34 20 28 55 6E 69 78 29 20 20 28 1.3.14 (Unix) ( 0x00A0: 52 65 64 2D 48 61 74 2F 4C 69 6E 75 78 29 20 50 Red-Hat/Linux) P 0x00B0: 48 50 2F 33 2E 30 2E 31 37 20 6D 6F 64 5F 70 65 HP/3.0.17 mod_pe 0x00C0: 72 6C 2F 31 2E 32 33 0D 0A 43 6F 6E 6E 65 63 74 rl/1.23..Connect 0x00D0: 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 54 72 61 6E ion: close..Tran 0x00E0: 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 63 sfer-Encoding: c 0x00F0: 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E 74 2D hunked..Content- 0x0100: 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 3B Type: text/html; 0x0110: 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38 38 35 charset=iso-885 0x0120: 39 2D 31 0D 0A 0D 0A 31 36 61 0D 0A 3C 21 44 4F 9-1....16a..<!DO 0x0130: 43 54 59 50 45 20 48 54 4D 4C 20 50 55 42 4C 49 CTYPE HTML PUBLI 0x0140: 43 20 22 2D 2F 2F 49 45 54 46 2F 2F 44 54 44 20 C "-//IETF//DTD 0x0150: 48 54 4D 4C 20 32 2E 30 2F 2F 45 4E 22 3E 0A 3C HTML 2.0//EN">.< 0x0160: 48 54 4D 4C 3E 3C 48 45 41 44 3E 0A 3C 54 49 54 HTML><HEAD>.<TIT 0x0170: 4C 45 3E 34 30 30 20 42 61 64 20 52 65 71 75 65 LE>400 Bad Reque 0x0180: 73 74 3C 2F 54 49 54 4C 45 3E 0A 3C 2F 48 45 41 st</TITLE>.</HEA 0x0190: 44 3E 3C 42 4F 44 59 3E 0A 3C 48 31 3E 42 61 64 D><BODY>.<H1>Bad 0x01A0: 20 52 65 71 75 65 73 74 3C 2F 48 31 3E 0A 59 6F Request</H1>.Yo 0x01B0: 75 72 20 62 72 6F 77 73 65 72 20 73 65 6E 74 20 ur browser sent 0x01C0: 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 a request that t 0x01D0: 68 69 73 20 73 65 72 76 65 72 20 63 6F 75 6C 64 his server could 0x01E0: 20 6E 6F 74 20 75 6E 64 65 72 73 74 61 6E 64 2E not understand. 0x01F0: 3C 50 3E 0A 63 6C 69 65 6E 74 20 73 65 6E 74 20 <P>.client sent 0x0200: 48 54 54 50 2F 31 2E 31 20 72 65 71 75 65 73 74 HTTP/1.1 request 0x0210: 20 77 69 74 68 6F 75 74 20 68 6F 73 74 6E 61 6D without hostnam 0x0220: 65 20 28 73 65 65 20 52 46 43 32 30 36 38 20 73 e (see RFC2068 s 0x0230: 65 63 74 69 6F 6E 20 39 2C 20 61 6E 64 20 31 34 ection 9, and 14 0x0240: 2E 32 33 29 3A 20 2F 3C 50 3E 0A 3C 48 52 3E 0A .23): /<P>.<HR>. 0x0250: 3C 41 44 44 52 45 53 53 3E 41 70 61 63 68 65 2F <ADDRESS>Apache/ 0x0260: 31 2E 33 2E 31 34 20 53 65 72 76 65 72 20 61 74 1.3.14 Server at 0x0270: 20 77 77 77 20 50 6F 72 74 20 38 30 3C 2F 41 44 www Port 80</AD 0x0280: 44 52 45 53 53 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F DRESS>.</BODY></ 
0x0290: 48 54 4D 4C 3E 0A 0D 0A 30 0D 0A 0D 0A           HTML>...0....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+
10/13-06:11:15.769260 0:A0:CC:5D:91:E0 -> 0:5:5E:2E:27:8D type:0x800 len:0x42 a.b.c.d:80 -> 218.63.92.11:4876 TCP TTL:64 TOS:0x0 ID:10381 IpLen:20 DgmLen:52 DF 
***A***F Seq: 0x356E0075  Ack: 0x414F00A9  Win: 0x7EDC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 681081443 45669448
0x0000: 00 05 5E 2E 27 8D 00 A0 CC 5D 91 E0 08 00 45 00 ..^.'....]....E. 0x0010: 00 34 28 8D 40 00 40 06 4B C4 CE DE C1 49 DA 3F .4(.@.@.K....I.? 0x0020: 5C 0B 00 50 13 0C 35 6E 00 75 41 4F 00 A9 80 11 \..P..5n.uAO.... 0x0030: 7E DC 24 39 00 00 01 01 08 0A 28 98 7A 63 02 B8 ~.$9......(.zc.. 
0x0040: DC 48                                            .H
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+ 





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: