Snort mailing list archives
Re: Sig writing help
From: Alex Cermak <alex.cermak () protonmail com>
Date: Sun, 20 Nov 2016 22:00:32 -0500
HI Albert, Thanks for your help, it's been a while since I've run snort in anger and it looks like I've forgotten a few things :) I was running without disabling checksum verification. I was using 2.9.7 as I quickly ran up a new Ubuntu Xenial VM for testing and 2.9.7 is the version that is sitting in their apt repo. I thought I had a issue with my understanding of snort and not a snort issue that would be fixed with the latest version. Alex -------- Original Message -------- Subject: Re: [Snort-sigs] Sig writing help Local Time: November 18, 2016 2:52 AM UTC Time: November 17, 2016 3:52 PM From: allewi () cisco com To: Alex Cermak <alex.cermak () protonmail com> snort-sigs () lists sourceforge net <snort-sigs () lists sourceforge net> Sorry.. forgot to include the files… Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com From: allewi <allewi () cisco com> Date: Thursday, November 17, 2016 at 10:23 AM To: Alex Cermak <alex.cermak () protonmail com> Cc: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] Sig writing help Hello Alex, Not sure if this was answered already but I get an alert… see below… Is there any reason you are using 2.9.7 still? [root@localhost snort-2.9.8.3]# ./bin/snort -c etc/cermak.conf -r etc/cermak.pcap -Acmg -k none -q 11/17-09:57:56.118000 [**] [1:10000:1] PoC C&C [**] [Priority: 0] {TCP} 192.168.58.5:39598 -> 192.168.58.4:23 11/17-09:57:56.118000 08:00:27:CB:B6:C0 -> 08:00:27:21:AF:47 type:0x800 len:0x46 192.168.58.5:39598 -> 192.168.58.4:23 TCP TTL:64 TOS:0x0 ID:43413 IpLen:20 DgmLen:56 DF ***AP*** Seq: 0x470C2095 Ack: 0x47993993 Win: 0xE5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 231687 232203 00 00 00 01 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [root@localhost snort-2.9.8.3]# cat etc/cermak.conf dynamicengine lib/snort_dynamicengine/libsf_engine.so dynamicpreprocessor directory lib/snort_dynamicpreprocessor preprocessor stream5_global: \ max_tcp 8192, \ track_tcp yes, \ track_udp no preprocessor stream5_tcp: \ policy windows, \ detect_anomalies, \ require_3whs 180, \ use_static_footprint_sizes, \ ports server 80 2251, \ ports both 80 2251 alert tcp any any -> any any (msg:"PoC C&C"; content:"|00 00 00 01|"; sid:10000; rev:1; ) [root@localhost snort-2.9.8.3]# ./bin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.8.3 GRE (Build 383) '''' By Martin Roesch & The Snort Team: [ http://www.snort.org/contact#team](http://www.snort.org/contact#team) Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.32 2012-11-30 Using ZLIB version: 1.2.7 Hope this helps... Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com From: Alex Cermak <alex.cermak () protonmail com> Reply-To: Alex Cermak <alex.cermak () protonmail com> Date: Tuesday, November 15, 2016 at 8:57 PM To: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> Subject: [Snort-sigs] Sig writing help Hi, I'm rather suck writing a rule which will match the last 4 bytes of the given packet, does anyone know why the rule below would not match the packet below? I realise this rule is far from accurate at this stage, I'm just attempting to get it to fire. Rule: alert tcp any any -> any any (msg:"PoC C&C"; content:"|00 00 00 01|"; sid:10000; rev:1; ) Packet: 11/10-11:36:18.510776 192.168.58.5:39598 -> 192.168.58.4:23 TCP TTL:64 TOS:0x0 ID:43413 IpLen:20 DgmLen:56 DF ***AP*** Seq: 0x470C2095 Ack: 0x47993993 Win: 0xE5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 231687 232203 0x0000: 08 00 27 21 AF 47 08 00 27 CB B6 C0 08 00 45 00 ..'!.G..'.....E. 0x0010: 00 38 A9 95 40 00 40 06 9B D0 C0 A8 3A 05 C0 A8 .8..@.@.....:... 0x0020: 3A 04 9A AE 00 17 47 0C 20 95 47 99 39 93 80 18 :.....G. .G.9... 0x0030: 00 E5 F5 84 00 00 01 01 08 0A 00 03 89 07 00 03 ................ 0x0040: 8B 0B 00 00 00 01 ...... $ snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.7.0 GRE (Build 149) '''' By Martin Roesch & The Snort Team: [ http://www.snort.org/contact#team](http://www.snort.org/contact#team) Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.38 2015-11-23 Using ZLIB version: 1.2.8 Thanks, Alex
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Sig writing help Alex Cermak (Nov 17)
- Re: Sig writing help Al Lewis (allewi) (Nov 17)
- Re: Sig writing help Al Lewis (allewi) (Nov 17)
- Re: Sig writing help Alex Cermak (Nov 20)
- Re: Sig writing help Al Lewis (allewi) (Nov 17)
- Re: Sig writing help Al Lewis (allewi) (Nov 17)