Snort mailing list archives
Re: darpa dataset problem(zero alert)
From: mehdi maleki <mehdimlk2003 () yahoo com>
Date: Wed, 13 Aug 2014 13:03:51 -0700
default configuration of rule doesn't generate alert, so i changed some in snort.conf (enable some alert). near 23000 alert generated, but there isn't gid=1. general alert didn't generated in my output alert file.while in your output there are many gid=1 alert. which section responsible of gid=1 alerts? what changes do i need to perform in snort.conf file to have output same to you? i attache my snort.conf file & alert file. thanks. m. maleki On Tuesday, August 12, 2014 10:51 PM, Joel Esler (jesler) <jesler () cisco com> wrote: On Aug 7, 2014, at 11:42 AM, Joel Esler <jesler () cisco com> wrote: On Aug 6, 2014, at 3:42 AM, mehdi maleki <mehdimlk2003 () yahoo com> wrote:
I’ve read faq but there is any solution for my problem.Can you post the link to the darpa pcap you are using?
So, I ran the pcap you provided the link to against my Snort instance with all the rules turned on, I get a couple alerts: 1:22114:5 SERVER-MAIL Metamail header length exploit attempt Alerts: 6 1:1213:13 SERVER-WEBAPP backup access Alerts: 4 1:22115:5 SERVER-MAIL Metamail header length exploit attempt Alerts: 750 1:17152:6 SERVER-SAMBA Samba smbd flags2 header parsing denial of service attempt Alerts: 2 1:218:8 MALWARE-BACKDOOR MISC Solaris 2.5 attempt Alerts: 1 1:1648:20 SERVER-WEBAPP perl.exe command attempt Alerts: 2 1:15935:6 PROTOCOL-DNS dns response for rfc1918 192.168/16 address detected Alerts: 1261 1:4675:10 FILE-FLASH Adobe Flash DOACTION tag overflow attempt Alerts: 1 1:648:14 INDICATOR-SHELLCODE x86 NOOP Alerts: 17 1:1437:27 FILE-IDENTIFY Microsoft Windows Media download detected Alerts: 1 1:368:10 PROTOCOL-ICMP PING BSDtype Alerts: 30 1:1668:14 SERVER-WEBAPP /cgi-bin/ access Alerts: 1 1:1288:16 SERVER-OTHER Microsoft Frontpage /_vti_bin/ access Alerts: 9 1:15934:6 PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected Alerts: 4653 1:853:17 SERVER-WEBAPP wrap access Alerts: 4 1:4135:19 BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt Alerts: 13 1:1729:15 POLICY-SOCIAL IRC channel join Alerts: 7 1:839:20 SERVER-WEBAPP finger access Alerts: 8 1:31406:1 SERVER-OTHER Samsung TV denial of service attempt Alerts: 41 1:1024:20 SERVER-IIS newdsn.exe access Alerts: 1 1:2921:10 PROTOCOL-DNS UDP inverse query Alerts: 5 1:24304:2 PROTOCOL-DNS dead alive6 DNS attempt Alerts: 2 1:13948:11 PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning Alerts: 980 1:1029:18 SERVER-IIS scripts-browse access Alerts: 1 1:2134:14 SERVER-IIS register.asp access Alerts: 4 1:18809:9 BROWSER-FIREFOX Mozilla EnsureCachedAttrParamArrays integer overflow attempt Alerts: 2 1:384:8 PROTOCOL-ICMP PING Alerts: 227 1:1201:13 INDICATOR-COMPROMISE 403 Forbidden Alerts: 71 1:402:11 PROTOCOL-ICMP Destination Unreachable Port Unreachable Alerts: 938 1:19177:7 SERVER-WEBAPP cookiejacking attempt Alerts: 2 1:8759:12 BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.SequencerControl ActiveX clsid access Alerts: 4 1:895:19 SERVER-WEBAPP redirect access Alerts: 41 1:882:17 SERVER-WEBAPP calendar access Alerts: 35 1:1012:21 SERVER-IIS fpcount attempt Alerts: 6 129:12:1 Consecutive TCP small segments exceeding threshold Alerts: 151 1:23362:3 SERVER-IIS tilde character file name discovery attempt Alerts: 2 1:19669:7 POLICY-OTHER Telnet protocol specifier in web page attempt Alerts: 1 119:31:1 (http_inspect) UNKNOWN METHOD Alerts: 2 1:1309:20 SERVER-WEBAPP zsh access Alerts: 25 1:408:8 PROTOCOL-ICMP Echo Reply Alerts: 218 1:1417:16 PROTOCOL-SNMP request udp Alerts: 1320 1:1025:18 SERVER-IIS perl access Alerts: 1 1:718:16 PROTOCOL-TELNET login incorrect Alerts: 40 1:1156:17 SERVER-WEBAPP apache directory disclosure attempt Alerts: 40 1:17276:15 FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt Alerts: 2 1:1077:19 SQL queryhit.htm access Alerts: 1 1:1463:15 POLICY-SOCIAL IRC message Alerts: 98 1:17410:15 OS-WINDOWS Generic HyperLink buffer overflow attempt Alerts: 40 1:2066:12 SERVER-WEBAPP Lotus Notes .pl script source download attempt Alerts: 1 1:23861:7 FILE-OTHER heapspray characters detected - binary Alerts: 2 1:29456:2 PROTOCOL-ICMP Unusual PING detected Alerts: 227 1:1292:12 INDICATOR-COMPROMISE directory listing Alerts: 12 1:1693:8 SERVER-ORACLE create table attempt Alerts: 1 1:1679:8 SERVER-ORACLE describe attempt Alerts: 81 1:2381:18 SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt Alerts: 42 128:4:1 (spp_ssh) Protocol mismatch Alerts: 15534 1:1200:17 INDICATOR-COMPROMISE Invalid URL Alerts: 19 1:542:20 POLICY-SOCIAL IRC nick change Alerts: 9 120:8:1 (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE Alerts: 2414 1:530:14 OS-WINDOWS NT NULL session Alerts: 1 1:30342:1 SERVER-WEBAPP Cisco IOS HTTP server denial of service attempt Alerts: 1 119:32:1 (http_inspect) SIMPLE REQUEST Alerts: 62 1:832:24 SERVER-WEBAPP perl.exe access Alerts: 2 1:2201:17 SERVER-WEBAPP Matt Wright download.cgi access Alerts: 1 1:1882:16 INDICATOR-COMPROMISE id check returned userid Alerts: 44 1:1149:24 SERVER-WEBAPP count.cgi access Alerts: 37 1:553:13 POLICY-OTHER FTP anonymous login attempt Alerts: 127 1:24378:1 POLICY-OTHER TCP packet with urgent flag attempt Alerts: 21 1:1606:14 SERVER-WEBAPP icat access Alerts: 1 1:21817:4 PROTOCOL-DNS excessive queries of type ANY - potential DoS Alerts: 1608 1:973:24 SERVER-IIS *.idc attempt Alerts: 1 119:19:1 (http_inspect) LONG HEADER Alerts: 41 1:20094:7 INDICATOR-COMPROMISE IRC message on non-standard port Alerts: 32 1:1767:13 SERVER-WEBAPP search.dll access Alerts: 13 1:1026:22 SERVER-IIS perl-browse newline attempt Alerts: 1 1:8414:12 FILE-OFFICE Microsoft Office GIF image descriptor memory corruption attempt Alerts: 39 1:1013:21 SERVER-IIS fpcount access Alerts: 11 120:3:1 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Alerts: 3657 1:3441:9 PROTOCOL-FTP PORT bounce attempt Alerts: 2 1:1560:14 SERVER-WEBAPP /doc/ access Alerts: 30 125:8:1 (ftp_telnet) FTP bounce attempt Alerts: 2 1:16642:7 POLICY-OTHER file URI scheme attempt Alerts: 5 1:366:10 PROTOCOL-ICMP PING *NIX Alerts: 30 1:20258:9 OS-WINDOWS Microsoft Forefront UAG javascript handler in URI XSS attempt Alerts: 3 1:1411:18 PROTOCOL-SNMP public access udp Alerts: 1320 1:1078:19 SQL counter.exe access Alerts: 1 1:13949:12 PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers Alerts: 980
Attachment:
alert_config.zip
Description:
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- darpa dataset problem(zero alert) mehdi maleki (Aug 05)
- Re: darpa dataset problem(zero alert) waldo kitty (Aug 05)
- <Possible follow-ups>
- darpa dataset problem(zero alert) mehdi maleki (Aug 06)
- Message not available
- Message not available
- Fw: re: darpa dataset problem(zero alert) mehdi maleki (Aug 06)
- Message not available
- Re: darpa dataset problem(zero alert) Joel Esler (jesler) (Aug 07)
- Re: darpa dataset problem(zero alert) Joel Esler (jesler) (Aug 12)
- Re: darpa dataset problem(zero alert) mehdi maleki (Aug 25)
- Fw: darpa dataset problem(zero alert) mehdi maleki (Aug 25)
- Re: darpa dataset problem(zero alert) Joel Esler (jesler) (Aug 19)
- Re: darpa dataset problem(zero alert) waldo kitty (Aug 19)
- Fw: darpa dataset problem(zero alert) mehdi maleki (Aug 25)
- Re: darpa dataset problem(zero alert) Joel Esler (jesler) (Aug 25)
- Re: darpa dataset problem(zero alert) waldo kitty (Aug 25)