Re: darpa dataset problem(zero alert)

[mehdi maleki <mehdimlk2003 () yahoo com>]

default configuration of rule doesn't generate alert, so i changed some in snort.conf (enable some alert). near 23000 
alert generated, but there isn't gid=1. general alert didn't generated in my output alert file.while in your output 
there are many gid=1 alert. which section responsible of gid=1 alerts? what changes do i need to perform in snort.conf 
file to have output same to you? i attache my snort.conf file & alert file. 
thanks.
m. maleki



On Tuesday, August 12, 2014 10:51 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
 


On Aug 7, 2014, at 11:42 AM, Joel Esler <jesler () cisco com> wrote:


On Aug 6, 2014, at 3:42 AM, mehdi maleki <mehdimlk2003 () yahoo com> wrote:
> > I’ve read faq but there is any solution for my problem.
> Can you post the link to the darpa pcap you are using?
So, I ran the pcap you provided the link to against my Snort instance with all the rules turned on, I get a couple 
alerts:

1:22114:5       SERVER-MAIL Metamail header length exploit attempt               Alerts: 6
1:1213:13       SERVER-WEBAPP backup access                                      Alerts: 4
1:22115:5       SERVER-MAIL Metamail header length exploit attempt               Alerts: 750
1:17152:6       SERVER-SAMBA Samba smbd flags2 header parsing denial of service attempt     Alerts: 2
1:218:8         MALWARE-BACKDOOR MISC Solaris 2.5 attempt                        Alerts: 1
1:1648:20       SERVER-WEBAPP perl.exe command attempt                           Alerts: 2
1:15935:6       PROTOCOL-DNS dns response for rfc1918 192.168/16 address detected     Alerts: 1261
1:4675:10       FILE-FLASH Adobe Flash DOACTION tag overflow attempt             Alerts: 1
1:648:14        INDICATOR-SHELLCODE x86 NOOP                                     Alerts: 17
1:1437:27       FILE-IDENTIFY Microsoft Windows Media download detected          Alerts: 1
1:368:10        PROTOCOL-ICMP PING BSDtype                                       Alerts: 30
1:1668:14       SERVER-WEBAPP /cgi-bin/ access                                   Alerts: 1
1:1288:16       SERVER-OTHER Microsoft Frontpage /_vti_bin/ access               Alerts: 9
1:15934:6       PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected     Alerts: 4653
1:853:17        SERVER-WEBAPP wrap access                                        Alerts: 4
1:4135:19       BROWSER-IE Microsoft Internet Explorer JPEG rendering buffer overflow attempt     Alerts: 13
1:1729:15       POLICY-SOCIAL IRC channel join                                   Alerts: 7
1:839:20        SERVER-WEBAPP finger access                                      Alerts: 8
1:31406:1       SERVER-OTHER Samsung TV denial of service attempt                Alerts: 41
1:1024:20       SERVER-IIS newdsn.exe access                                     Alerts: 1
1:2921:10       PROTOCOL-DNS UDP inverse query                                   Alerts: 5
1:24304:2       PROTOCOL-DNS dead alive6 DNS attempt                             Alerts: 2
1:13948:11      PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning     Alerts: 980
1:1029:18       SERVER-IIS scripts-browse access                                 Alerts: 1
1:2134:14       SERVER-IIS register.asp access                                   Alerts: 4
1:18809:9       BROWSER-FIREFOX Mozilla EnsureCachedAttrParamArrays integer overflow attempt     Alerts: 2
1:384:8         PROTOCOL-ICMP PING                                               Alerts: 227
1:1201:13       INDICATOR-COMPROMISE 403 Forbidden                               Alerts: 71
1:402:11        PROTOCOL-ICMP Destination Unreachable Port Unreachable           Alerts: 938
1:19177:7       SERVER-WEBAPP cookiejacking attempt                              Alerts: 2
1:8759:12       BROWSER-PLUGINS Microsoft Internet Explorer DirectAnimation.SequencerControl ActiveX clsid access     
Alerts: 4
1:895:19        SERVER-WEBAPP redirect access                                    Alerts: 41
1:882:17        SERVER-WEBAPP calendar access                                    Alerts: 35
1:1012:21       SERVER-IIS fpcount attempt                                       Alerts: 6
129:12:1        Consecutive TCP small segments exceeding threshold               Alerts: 151
1:23362:3       SERVER-IIS tilde character file name discovery attempt           Alerts: 2
1:19669:7       POLICY-OTHER Telnet protocol specifier in web page attempt       Alerts: 1
119:31:1        (http_inspect) UNKNOWN METHOD                                    Alerts: 2
1:1309:20       SERVER-WEBAPP zsh access                                         Alerts: 25
1:408:8         PROTOCOL-ICMP Echo Reply                                         Alerts: 218
1:1417:16       PROTOCOL-SNMP request udp                                        Alerts: 1320
1:1025:18       SERVER-IIS perl access                                           Alerts: 1
1:718:16        PROTOCOL-TELNET login incorrect                                  Alerts: 40
1:1156:17       SERVER-WEBAPP apache directory disclosure attempt                Alerts: 40
1:17276:15      FILE-OTHER Multiple vendor Antivirus magic byte detection evasion attempt     Alerts: 2
1:1077:19       SQL queryhit.htm access                                          Alerts: 1
1:1463:15       POLICY-SOCIAL IRC message                                        Alerts: 98
1:17410:15      OS-WINDOWS Generic HyperLink buffer overflow attempt             Alerts: 40
1:2066:12       SERVER-WEBAPP Lotus Notes .pl script source download attempt     Alerts: 1
1:23861:7       FILE-OTHER heapspray characters detected - binary                Alerts: 2
1:29456:2       PROTOCOL-ICMP Unusual PING detected                              Alerts: 227
1:1292:12       INDICATOR-COMPROMISE directory listing                           Alerts: 12
1:1693:8        SERVER-ORACLE create table attempt                               Alerts: 1
1:1679:8        SERVER-ORACLE describe attempt                                   Alerts: 81
1:2381:18       SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt     Alerts: 42
128:4:1         (spp_ssh) Protocol mismatch                                      Alerts: 15534
1:1200:17       INDICATOR-COMPROMISE Invalid URL                                 Alerts: 19
1:542:20        POLICY-SOCIAL IRC nick change                                    Alerts: 9
120:8:1         (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE              Alerts: 2414
1:530:14        OS-WINDOWS NT NULL session                                       Alerts: 1
1:30342:1       SERVER-WEBAPP Cisco IOS HTTP server denial of service attempt     Alerts: 1
119:32:1        (http_inspect) SIMPLE REQUEST                                    Alerts: 62
1:832:24        SERVER-WEBAPP perl.exe access                                    Alerts: 2
1:2201:17       SERVER-WEBAPP Matt Wright download.cgi access                    Alerts: 1
1:1882:16       INDICATOR-COMPROMISE id check returned userid                    Alerts: 44
1:1149:24       SERVER-WEBAPP count.cgi access                                   Alerts: 37
1:553:13        POLICY-OTHER FTP anonymous login attempt                         Alerts: 127
1:24378:1       POLICY-OTHER TCP packet with urgent flag attempt                 Alerts: 21
1:1606:14       SERVER-WEBAPP icat access                                        Alerts: 1
1:21817:4       PROTOCOL-DNS excessive queries of type ANY - potential DoS       Alerts: 1608
1:973:24        SERVER-IIS *.idc attempt                                         Alerts: 1
119:19:1        (http_inspect) LONG HEADER                                       Alerts: 41
1:20094:7       INDICATOR-COMPROMISE IRC message on non-standard port            Alerts: 32
1:1767:13       SERVER-WEBAPP search.dll access                                  Alerts: 13
1:1026:22       SERVER-IIS perl-browse newline attempt                           Alerts: 1
1:8414:12       FILE-OFFICE Microsoft Office GIF image descriptor memory corruption attempt     Alerts: 39
1:1013:21       SERVER-IIS fpcount access                                        Alerts: 11
120:3:1         (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE     Alerts: 3657
1:3441:9        PROTOCOL-FTP PORT bounce attempt                                 Alerts: 2
1:1560:14       SERVER-WEBAPP /doc/ access                                       Alerts: 30
125:8:1         (ftp_telnet) FTP bounce attempt                                  Alerts: 2
1:16642:7       POLICY-OTHER file URI scheme attempt                             Alerts: 5
1:366:10        PROTOCOL-ICMP PING *NIX                                          Alerts: 30
1:20258:9       OS-WINDOWS Microsoft Forefront UAG javascript handler in URI XSS attempt     Alerts: 3
1:1411:18       PROTOCOL-SNMP public access udp                                  Alerts: 1320
1:1078:19       SQL counter.exe access                                           Alerts: 1
1:13949:12      PROTOCOL-DNS excessive outbound NXDOMAIN replies - possible spoof of domain run by local DNS servers    
 Alerts: 980

Attachment: alert_config.zip
Description:

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!