Snort mailing list archives
FYI and help -- Bad alerts
From: "Lawrence Reed" <Lawrence.Reed () noaa gov>
Date: Thu, 27 Feb 2003 18:45:34 +0000
Vital stats: Snort 2.0 build 51 default plugins except stream4 reassembly is off. See complete stats below.
I am receiving the following alerts from my sensor. I view the alerts with acid and don't see the data snort claims generated the alert. I used barnyard to generate a pcap file from the unified alert file and extracted all traffic involving the source ip address. Looking in the pcap file I don't see any "CWD /" commands. I then ran the new pcap file through snort and it did not generate any alerts.
Why is this happening? Here are the alerts: ------------------------------------------------------------------------ 02/26/03-01:08:51.487785 {TCP} 192.168.0.200:63959 -> 10.0.0.206:21 [**] [1:545:4] FTP \"CWD /\" possible warez site [**] [Classification: Misc activity] [Priority: 3] ------------------------------------------------------------------------ 02/26/03-01:20:16.413278 {TCP} 192.168.0.200:65089 -> 10.0.0.206:21 [**] [1:545:4] FTP \"CWD /\" possible warez site [**] [Classification: Misc activity] [Priority: 3] ------------------------------------------------------------------------ 02/26/03-01:36:13.798966 {TCP} 192.168.0.200:33995 -> 10.0.0.206:21 [**] [1:545:4] FTP \"CWD /\" possible warez site [**] [Classification: Misc activity] [Priority: 3] ------------------------------------------------------------------------ 02/26/03-01:41:56.923492 {TCP} 192.168.0.200:34579 -> 10.0.0.206:21 [**] [1:545:4] FTP \"CWD /\" possible warez site [**] [Classification: Misc activity] [Priority: 3] ------------------------------------------------------------------------ 02/26/03-02:16:11.296573 {TCP} 192.168.0.200:38241 -> 10.0.0.206:21 [**] [1:545:4] FTP \"CWD /\" possible warez site [**] [Classification: Misc activity] [Priority: 3] Here is the data found in the pcap file:* 2003/02/26 01:08:51.487785: tcp 192.168.0.200,63959 10.0.0.206,21 125>9 316<11
>> 1-8 : CWD er\r\n << 1-29 : 250 CWD command successful.\r\n >> 9-17 : CWD buf\r\n << 30-58 : 250 CWD command successful.\r\n >> 18-29 : CWD bufkit\r\n << 59-87 : 250 CWD command successful.\r\n >> 30-43 : CWD profiles\r\n << 88-116 : 250 CWD command successful.\r\n >> 44-60 : MDTM etakit.lnk\r\n << 117-160 : 550 etakit.lnk: No such file or directory.\r\n >> 61-90 : PORT 128,109,134,200,249,216\r\n << 161-190 : 200 PORT command successful.\r\n << 191-234 : 550 etakit.lnk: No such file or directory.\r\n >> 108-123 : CWD etakit.lnk\r\n << 235-278 : 550 etakit.lnk: No such file or directory.\r\n << 279-315 : 221 You could at least say goodbye.\r\n* 2003/02/26 01:20:16.413278: tcp 192.168.0.200,65089 10.0.0.206,21 18>3 83<4
>> 1-16 : CWD etakit.dro\r\n << 1-44 : 550 etakit.dro: No such file or directory.\r\n << 45-81 : 221 You could at least say goodbye.\r\n* 2003/02/26 01:36:13.798966: tcp 192.168.0.200,33995 10.0.0.206,21 111>9 288<10
>> 1-8 : CWD er\r\n << 1-29 : 250 CWD command successful.\r\n >> 9-17 : CWD phi\r\n << 30-58 : 250 CWD command successful.\r\n >> 18-29 : CWD bufkit\r\n << 59-87 : 250 CWD command successful.\r\n >> 30-46 : MDTM etakit.fty\r\n << 88-131 : 550 etakit.fty: No such file or directory.\r\n >> 47-76 : PORT 128,109,134,200,132,204\r\n << 132-161 : 200 PORT command successful.\r\n >> 77-93 : RETR etakit.fty\r\n << 162-205 : 550 etakit.fty: No such file or directory.\r\n >> 94-109 : CWD etakit.fty\r\n << 206-249 : 550 etakit.fty: No such file or directory.\r\n << 250-286 : 221 You could at least say goodbye.\r\n* 2003/02/26 01:41:56.923492: tcp 192.168.0.200,34579 10.0.0.206,21 102>7 258<7
>> 1-9 : CWD phi\r\n << 1-29 : 250 CWD command successful.\r\n >> 10-21 : CWD bufkit\r\n << 30-58 : 250 CWD command successful.\r\n >> 22-38 : MDTM etakit.pvd\r\n << 59-102 : 550 etakit.pvd: No such file or directory.\r\n >> 39-67 : PORT 128,109,134,200,135,20\r\n << 103-132 : 200 PORT command successful.\r\n << 133-176 : 550 etakit.pvd: No such file or directory.\r\n >> 85-100 : CWD etakit.pvd\r\n << 221-257 : 221 You could at least say goodbye.\r\n* 2003/02/26 02:16:11.296573: tcp 192.168.0.200,38241 10.0.0.206,21 111>9 287<9
>> 1-9 : CWD rnk\r\n << 1-29 : 250 CWD command successful.\r\n >> 10-21 : CWD bufkit\r\n << 30-58 : 250 CWD command successful.\r\n >> 22-30 : CWD eta\r\n << 59-87 : 250 CWD command successful.\r\n >> 31-47 : MDTM etakit.bod\r\n << 88-131 : 550 etakit.bod: No such file or directory.\r\n >> 48-76 : PORT 128,109,134,200,149,98\r\n << 132-161 : 200 PORT command successful.\r\n >> 77-93 : RETR etakit.bod\r\n << 162-205 : 550 etakit.bod: No such file or directory.\r\n >> 94-109 : CWD etakit.bod\r\n << 206-249 : 550 etakit.bod: No such file or directory.\r\n << 250-286 : 221 You could at least say goodbye.\r\n Here are the detailed vital stats: Initializing Output Plugins! Running in IDS mode Log directory = /data/20030226.00:00:00 Initializing Network Interface eth2 --== Initializing Snort ==-- Rule application order changed to Pass->Alert->Log Decoding Ethernet on interface eth2 Parsing Rules file /conf/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Initializing Preprocessors! Initializing Plug-ins! No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: ACTIVE Session timeout: 30 seconds Session memory cap: 50000000 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Suspend period: 30stream4:OpenStatsFile() Opening /data/20030226.00:00:00/snort-unified.stats.1046217600
http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 rpc_decode arguments: Ports to decode RPC on: 111 32771 telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Conversation Config: KeepStats: 0 Conv Count: 65534 Timeout : 60 Alert Odd?: 0 Allowed IP Protocols: All Portscan2 config: log: /data/20030226.00:00:00/scan.log scanners_max: 3200 targets_max: 5000 target_limit: 25 port_limit: 50 timeout: 60 PerfMonitor config: Time: 10 seconds Flow Stats: ACTIVE Event Stats: ACTIVE Max Perf Stats: INACTIVE Console Mode: INACTIVE File Mode: INACTIVE SnortFile Mode: /data/20030226.00:00:00/perfstats.csv Packet Count: 10000 HttpFlow config: Depth: 250 Ports: 80 8080 spo_unified /conf/snort.conf(462)=> Lowering limit of 1280MB to 512MB spo_unified /conf/snort.conf(463)=> Lowering limit of 1280MB to 512MB Opening /data/20030226.00:00:00/snort-unified.log.1046217600 1228 Snort rules read... 1228 Option Chains linked into 213 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0beta (Build 51) By Martin Roesch (roesch () sourcefire com, www.snort.org) And lastly here is the actual rule:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:4; msg:"INFO FTP |CWD / | possible warez site"; tag:session,300,packets;)
-- Larry Reed Lawrence.Reed () noaa gov NOAA IT Security Office PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FYI and help -- Bad alerts Lawrence Reed (Feb 27)