Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Can't suppress Tagged Packet

from [Rob Ward] Network Security [Permanent Link]
Subject: Re: [Snort-users] Can't suppress Tagged Packet
Date: Fri, 26 May 2006 15:08:56 +0100 
--On 26 May 2006 09:40 -0400 Joel Esler <joel.esler@sourcefire.com> wrote:

Suppose you can copy and paste (take out the IP's) the alert you are
getting?

Joel

Strange - these aren't appearing in my sensors alert files only the database and seem to be related to the following alerts triggered by a Bleeding Snort Rule which DO appear in the alert file:

[**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
non-std port [**] [Classification: A Network Trojan was detected]
[Priority: 1]
05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800 len:0x6A
X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7  Ack: 0x769ADDBF  Win:
0xFC00  TcpLen: 20

On investigation the majority of these are false positives but some can be linked to Botnets.

The corresponding Tagged Packet alert that's in the database is:

Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100

-------------------------------------------------------------------------
-----
# (6 - 221802) [2006-05-26 14:54:24] [snort/1]  Tagged Packet
IPv4: X.X.X.X -> 85.158.9.6
      hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
TCP:  port=2353 -> dport: 8000  flags=***AP*** seq=514436775
      ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
Payload:  length = 52

000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65   PRIVMSG #uk_live
010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A   rpool_cruising :
020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F   ANY1 WANNA CHAT?
030 : 3F 3F 0D 0A                                       ??..


Thanks

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department 


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Can't suppress Tagged Packet, Joel Esler
Next by Date:  Re: [Snort-users] Can't suppress Tagged Packet, Joel Esler
Previous by Thread:  Re: [Snort-users] Can't suppress Tagged Packet, Joel Esler
Next by Thread:  Re: [Snort-users] Can't suppress Tagged Packet, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]