Re: Fwd: Snort catching backup as alert?

[William Rehnquyst <rehnquyst () gmail com>]

Thank you all for the replies, Alex, Jefferson and waldo kitty. I am
currently using threshold to quiet it down, but not suppressing it.

My replies to waldo kitty's finer points below:

On Mon, Aug 19, 2013 at 1:51 PM, waldo kitty <wkitty42 () windstream net>wrote:

> > Below is the payload it captured, which triggered the alert:
> 1.
> > sid:17340; rev:3;)
>
> is looking on any port for a simple content only match... yes, this one is
> likely firing because of seeing that exact string... i note also that the
> rule
> is looking for traffic from $EXTERNAL_NET to $HOME_NET and that brings up
> a few
> questions:
>
>   1. is your backup server external to your network?
>   2. is this detection happening when your backup server is sending
>      the traffic to a machine in your home net during a restore?

1. No, our backup is internal, and our current Snort configuration detects
both ext and int traffic (I am aware of recommendations that ext and int
sniffers be separated).

2. Most likely not during a restore, but during backup. I don't have an
exact time for when I know  backup is happening, but I know it's happening
during the backup window. And it triggers within the same hour every night.


> > sid:17341; rev:2;)
>
> this rule has three content matches but they are hex coded so not straight
> strings in the content matches... no idea if this rule is triggering on
> seeing
> itself...

Just want to reiterate that those rules I posted are payloads that Snort
captured, not copy-pasted from the rule file myself.

> > alert ip $EXTERNAL_NET any ->  $HOME_NET any (msg:"INDICATOR-SHELLCODE
> x86 OS agnostic xor
>
> the SID was left out on this one so i don't know what rule it is...

Sorry, I should mention that the payload cuts off here.


> > ps. On a side note, pardon my newbie-ness, how does screenshots and
> > attachment work on a mailing list like this? I'm not sure whether
> > they work or not because I never see them in the archive onseclists.org?
>
> it is best to just copy'n'paste the information into a post rather than
> trying
> to do screenshots... mainly because graphics are larger than the data you
> are
> trying to show... as for them not appearing on seclists, that may be
> because
> seclists doesn't allow them and so strips them out...
>
> as a general rules, each mailing list is different... some do not allow
> attachments at all... others allow any attachments up to a certain size...
> then
> some restrict the type of attachments and may also apply size restrictions
> to
> them... these details should be available in the rules for the list which
> everyone should read before joining the list... as for other systems that
> import
> the list and make it available in another format, they have their own
> rules...
> as long as posts made on them that get transferred back to the list
> conform with
> the list's rules, there are no problems...

I generally read/check the rules when I join a forum/mailing list like
this, being a former moderator somewhere else; but I did not see a rule
page on the sign up page (and it's not like it's a forum that you can go in
and search for it): https://lists.sourceforge.net/lists/listinfo/snort-users

Thanks for answering my questions in such detail waldo kitty. Much
appreciated.


> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!