Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Can't suppress Tagged Packet

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-users] Can't suppress Tagged Packet
Date: Fri, 26 May 2006 10:20:23 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heh.  I wrote those rules a while back before I came to work for
Sourcefire.  At the time botnets were all over the place and there was
really no way to detect how they were getting in, so I wrote them with
the theory that all botnets were IRC at the time.

(The rules are basically the same at the Snort.org rules)

The tag was included in order to do exactly that, track botnets.  I used
to log in binary mode, so when a botnet was on the network, I could
reconstruct the whole session.  Since IRC was not allowed on our
networks (I was .mil), it was easy to track down botnets (plus anyone
that was using IRC was in violation, so we got them too). However, on a
university network, this won't work, as IRC is allowed.

I would either A) remove the tag from the rule, or B) suppress actual
IRC servers based off the server IP.  Since B is alot of work, A may be
faster.

tag 'alerts' are logged to db because they are under the "log" directive
as opposed to the "alert" directive.  Therefore they go to your db, as
the actual rule that triggered it goes to the alert file.

Joel

Rob Ward wrote:

--On 26 May 2006 09:40 -0400 Joel Esler <joel.esler@sourcefire.com> wrote:


Suppose you can copy and paste (take out the IP's) the alert you are
getting?

Joel


Strange - these aren't appearing in my sensors alert files only the
database and seem to be related to the following alerts triggered by a
Bleeding Snort Rule which DO appear in the alert file:


[**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
non-std port [**] [Classification: A Network Trojan was detected]
[Priority: 1]
05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800
len:0x6A
X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7  Ack: 0x769ADDBF  Win:
0xFC00  TcpLen: 20


On investigation the majority of these are false positives but some can
be linked to Botnets.

The corresponding Tagged Packet alert that's in the database is:


Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100

-------------------------------------------------------------------------
-----
# (6 - 221802) [2006-05-26 14:54:24] [snort/1]  Tagged Packet
IPv4: X.X.X.X -> 85.158.9.6
      hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
TCP:  port=2353 -> dport: 8000  flags=***AP*** seq=514436775
      ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
Payload:  length = 52

000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65   PRIVMSG #uk_live
010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A   rpool_cruising :
020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F   ANY1 WANNA CHAT?
030 : 3F 3F 0D 0A                                       ??..


Thanks

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdw6nKbCSyXHckt4RAqbXAJ9Ts4YDlhyxiIAeLNcDKHOsXJNIyQCdHGtU
lPfLiZTK0PRib3UTp8YQZSY=
=zULI
-----END PGP SIGNATURE-----


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Can't suppress Tagged Packet, Rob Ward
Next by Date:  Re: [Snort-users] Can't suppress Tagged Packet, Bamm Visscher
Previous by Thread:  Re: [Snort-users] Can't suppress Tagged Packet, Rob Ward
Next by Thread:  Re: [Snort-users] Can't suppress Tagged Packet, Bamm Visscher
Indexes:  [Date] [Thread] [Top] [All Lists]