Snort mailing list archives
FYI and help -- Bad alerts
From: "Lawrence Reed" <Lawrence.Reed () noaa gov>
Date: Thu, 27 Feb 2003 18:45:34 +0000
Vital stats: Snort 2.0 build 51 default plugins except stream4 reassembly is off. See complete stats below.
I am receiving the following alerts from my sensor. I view the alerts with acid and don't see the data snort claims generated the alert. I used barnyard to generate a pcap file from the unified alert file and extracted all traffic involving the source ip address. Looking in the pcap file I don't see any "CWD /" commands. I then ran the new pcap file through snort and it did not generate any alerts.
Why is this happening?
Here are the alerts:
------------------------------------------------------------------------
02/26/03-01:08:51.487785 {TCP} 192.168.0.200:63959 -> 10.0.0.206:21
[**] [1:545:4] FTP \"CWD /\" possible warez site [**]
[Classification: Misc activity] [Priority: 3]
------------------------------------------------------------------------
02/26/03-01:20:16.413278 {TCP} 192.168.0.200:65089 -> 10.0.0.206:21
[**] [1:545:4] FTP \"CWD /\" possible warez site [**]
[Classification: Misc activity] [Priority: 3]
------------------------------------------------------------------------
02/26/03-01:36:13.798966 {TCP} 192.168.0.200:33995 -> 10.0.0.206:21
[**] [1:545:4] FTP \"CWD /\" possible warez site [**]
[Classification: Misc activity] [Priority: 3]
------------------------------------------------------------------------
02/26/03-01:41:56.923492 {TCP} 192.168.0.200:34579 -> 10.0.0.206:21
[**] [1:545:4] FTP \"CWD /\" possible warez site [**]
[Classification: Misc activity] [Priority: 3]
------------------------------------------------------------------------
02/26/03-02:16:11.296573 {TCP} 192.168.0.200:38241 -> 10.0.0.206:21
[**] [1:545:4] FTP \"CWD /\" possible warez site [**]
[Classification: Misc activity] [Priority: 3]
Here is the data found in the pcap file:
* 2003/02/26 01:08:51.487785: tcp 192.168.0.200,63959
10.0.0.206,21 125>9 316<11
>> 1-8 : CWD er\r\n << 1-29 : 250 CWD command successful.\r\n >> 9-17 : CWD buf\r\n << 30-58 : 250 CWD command successful.\r\n >> 18-29 : CWD bufkit\r\n << 59-87 : 250 CWD command successful.\r\n >> 30-43 : CWD profiles\r\n << 88-116 : 250 CWD command successful.\r\n >> 44-60 : MDTM etakit.lnk\r\n << 117-160 : 550 etakit.lnk: No such file or directory.\r\n >> 61-90 : PORT 128,109,134,200,249,216\r\n << 161-190 : 200 PORT command successful.\r\n << 191-234 : 550 etakit.lnk: No such file or directory.\r\n >> 108-123 : CWD etakit.lnk\r\n << 235-278 : 550 etakit.lnk: No such file or directory.\r\n << 279-315 : 221 You could at least say goodbye.\r\n* 2003/02/26 01:20:16.413278: tcp 192.168.0.200,65089 10.0.0.206,21 18>3 83<4
>> 1-16 : CWD etakit.dro\r\n << 1-44 : 550 etakit.dro: No such file or directory.\r\n << 45-81 : 221 You could at least say goodbye.\r\n* 2003/02/26 01:36:13.798966: tcp 192.168.0.200,33995 10.0.0.206,21 111>9 288<10
>> 1-8 : CWD er\r\n << 1-29 : 250 CWD command successful.\r\n >> 9-17 : CWD phi\r\n << 30-58 : 250 CWD command successful.\r\n >> 18-29 : CWD bufkit\r\n << 59-87 : 250 CWD command successful.\r\n >> 30-46 : MDTM etakit.fty\r\n << 88-131 : 550 etakit.fty: No such file or directory.\r\n >> 47-76 : PORT 128,109,134,200,132,204\r\n << 132-161 : 200 PORT command successful.\r\n >> 77-93 : RETR etakit.fty\r\n << 162-205 : 550 etakit.fty: No such file or directory.\r\n >> 94-109 : CWD etakit.fty\r\n << 206-249 : 550 etakit.fty: No such file or directory.\r\n << 250-286 : 221 You could at least say goodbye.\r\n* 2003/02/26 01:41:56.923492: tcp 192.168.0.200,34579 10.0.0.206,21 102>7 258<7
>> 1-9 : CWD phi\r\n << 1-29 : 250 CWD command successful.\r\n >> 10-21 : CWD bufkit\r\n << 30-58 : 250 CWD command successful.\r\n >> 22-38 : MDTM etakit.pvd\r\n << 59-102 : 550 etakit.pvd: No such file or directory.\r\n >> 39-67 : PORT 128,109,134,200,135,20\r\n << 103-132 : 200 PORT command successful.\r\n << 133-176 : 550 etakit.pvd: No such file or directory.\r\n >> 85-100 : CWD etakit.pvd\r\n << 221-257 : 221 You could at least say goodbye.\r\n* 2003/02/26 02:16:11.296573: tcp 192.168.0.200,38241 10.0.0.206,21 111>9 287<9
>> 1-9 : CWD rnk\r\n
<< 1-29 : 250 CWD command successful.\r\n
>> 10-21 : CWD bufkit\r\n
<< 30-58 : 250 CWD command successful.\r\n
>> 22-30 : CWD eta\r\n
<< 59-87 : 250 CWD command successful.\r\n
>> 31-47 : MDTM etakit.bod\r\n
<< 88-131 : 550 etakit.bod: No such file or directory.\r\n
>> 48-76 : PORT 128,109,134,200,149,98\r\n
<< 132-161 : 200 PORT command successful.\r\n
>> 77-93 : RETR etakit.bod\r\n
<< 162-205 : 550 etakit.bod: No such file or directory.\r\n
>> 94-109 : CWD etakit.bod\r\n
<< 206-249 : 550 etakit.bod: No such file or directory.\r\n
<< 250-286 : 221 You could at least say goodbye.\r\n
Here are the detailed vital stats:
Initializing Output Plugins!
Running in IDS mode
Log directory = /data/20030226.00:00:00
Initializing Network Interface eth2
--== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Decoding Ethernet on interface eth2
Parsing Rules file /conf/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Initializing Preprocessors!
Initializing Plug-ins!
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: ACTIVE
Session timeout: 30 seconds
Session memory cap: 50000000 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Suspend period: 30
stream4:OpenStatsFile() Opening
/data/20030226.00:00:00/snort-unified.stats.1046217600
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Conversation Config:
KeepStats: 0
Conv Count: 65534
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
Portscan2 config:
log: /data/20030226.00:00:00/scan.log
scanners_max: 3200
targets_max: 5000
target_limit: 25
port_limit: 50
timeout: 60
PerfMonitor config:
Time: 10 seconds
Flow Stats: ACTIVE
Event Stats: ACTIVE
Max Perf Stats: INACTIVE
Console Mode: INACTIVE
File Mode: INACTIVE
SnortFile Mode: /data/20030226.00:00:00/perfstats.csv
Packet Count: 10000
HttpFlow config:
Depth: 250
Ports: 80 8080
spo_unified /conf/snort.conf(462)=> Lowering limit of 1280MB to 512MB
spo_unified /conf/snort.conf(463)=> Lowering limit of 1280MB to 512MB
Opening /data/20030226.00:00:00/snort-unified.log.1046217600
1228 Snort rules read...
1228 Option Chains linked into 213 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order:
--== Initialization Complete ==--
-*> Snort! <*-
Version 2.0.0beta (Build 51)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
And lastly here is the actual rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (flow:to_server,established;
content:"CWD"; nocase; content:"/ "; distance:1;
classtype:misc-activity; sid:545; rev:4; msg:"INFO FTP |CWD / | possible
warez site"; tag:session,300,packets;)
-- Larry Reed Lawrence.Reed () noaa gov NOAA IT Security Office PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FYI and help -- Bad alerts Lawrence Reed (Feb 27)