The won't be in your alert file as the tagged packets are a "log" func.
That rule most definately uses the "tag" keyword.
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:
"BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port";
flow: to_server,established; dsize: <64; content:"NICK "; nocase;
offset: 0; depth: 5; tag: session,300,seconds; classtype:
trojan-activity; sid: 2000345; rev:5; )
Bammkkkk
On 5/26/06, Rob Ward <rob.ward@liverpool.ac.uk> wrote:
--On 26 May 2006 09:40 -0400 Joel Esler <joel.esler@sourcefire.com> wrote:
> Suppose you can copy and paste (take out the IP's) the alert you are
> getting?
>
> Joel
Strange - these aren't appearing in my sensors alert files only the
database and seem to be related to the following alerts triggered by a
Bleeding Snort Rule which DO appear in the alert file:
> [**] [1:2000347:5] BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on
> non-std port [**] [Classification: A Network Trojan was detected]
> [Priority: 1]
> 05/26-14:54:24.064891 0:9:E9:A5:F8:0 -> 0:E:39:92:4C:0 type:0x800 len:0x6A
> X.X.X.X:2353 -> 85.158.9.6:8000 TCP TTL:127 TOS:0x0 ID:8172
> IpLen:20 DgmLen:92 DF ***AP*** Seq: 0x1EA9AEA7 Ack: 0x769ADDBF Win:
> 0xFC00 TcpLen: 20
On investigation the majority of these are false positives but some can be
linked to Botnets.
The corresponding Tagged Packet alert that's in the database is:
> Generated by BASE v1.2.2 (cindy) on Fri, 26 May 2006 15:06:19 +0100
>
> -------------------------------------------------------------------------
> -----
># (6 - 221802) [2006-05-26 14:54:24] [snort/1] Tagged Packet
> IPv4: X.X.X.X -> 85.158.9.6
> hlen=5 TOS=0 dlen=92 ID=8172 flags=0 offset=0 TTL=127 chksum=16965
> TCP: port=2353 -> dport: 8000 flags=***AP*** seq=514436775
> ack=1989860799 off=5 res=0 win=64512 urp=0 chksum=46007
> Payload: length = 52
>
> 000 : 50 52 49 56 4D 53 47 20 23 75 6B 5F 6C 69 76 65 PRIVMSG #uk_live
> 010 : 72 70 6F 6F 6C 5F 63 72 75 69 73 69 6E 67 20 3A rpool_cruising :
> 020 : 41 4E 59 31 20 57 41 4E 4E 41 20 43 48 41 54 3F ANY1 WANNA CHAT?
> 030 : 3F 3F 0D 0A ??..
Thanks
Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
