Snort mailing list archives
Re: WEB-IIS view source via translate header false alarms
From: James Nonya <slave_tothe_box () yahoo com>
Date: Wed, 14 Jan 2004 11:04:52 -0800 (PST)
On Wed, 14 Jan 2004 12:14:22 -0600 "Bradberry, John" <BradberryJ () aafes com> wrote:
Hello: Our team is running snort 2.0.6 with sid 1042
enabled. Note that the
rule explicitly looks at ***TCP*** traffic to ports
80 and 8080:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-IIS
view source via translate header";
flow:to_server,established; content:
"Translate|3a| F"; nocase;
classtype:web-application-activity; sid:1042;
rev:6;) We're observing ***UDP*** traffic triggering alarms
on sid 1042! The
protocol, destination port, and content do not match
the signature:
Jan 14 10:26:20 <4.1> snort: [1:1042:6] WEB-IIS view
source via
translate header [Classification: access to a
potentially vulnerable web
application] [Priority: 2]: <fec0> {UDP} src_IP:68
-> dst_IP:67
Has anyone else observed this condition? John Bradberry The Greentree Group
John, I've seen the same type of thing at home...here's a sample: Jan 13 18:36:49 homebox kernel: New,invalid UDP-ICMP:IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00 SRC=193.126.36.217 DST=24.116.255.102 LEN=404 TOS=0x00 PREC=0x00 TTL=110 ID=34580 PROTO=UDP SPT=1131 DPT=1434 LEN=384 Jan 13 18:36:49 homebox snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 193.126.36.217:1131 -> 24.116.255.102:1434 Jan 13 18:38:00 homebox kernel: New,invalid TCP:IN=eth0 OUT= MAC=00:60:08:16:39:30:00:08:20:cb:04:a8:08:00 SRC=63.198.47.20 DST=24.116.255.102 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=50905 DF PROTO=TCP SPT=3824 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jan 13 18:38:00 homebox snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {TCP} 63.198.47.20:3824 -> 24.116.255.102:21 The above first 2 show a correct alert trigger...iptables blocks and logs the packet and snort alerts ms sql alert. But dig the last two...that's an ftp scan..TCP...totally different port....I have NO idea why that triggered. Since I don't run ftp on that box here's the rule that I made: from local.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Server Scan"; flags:S; classtype:info-attempt; sid:1000005; rev:1;) from sid-msg.map 1000005 || FTP Scan I have a sneaky suspicion it's something to do with classtype? Not sure. James __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS view source via translate header false alarms Bradberry, John (Jan 14)
- <Possible follow-ups>
- Re: WEB-IIS view source via translate header false alarms James Nonya (Jan 14)