Network Security: Detailed info on Re: [Snort-users] Snort frustration

Subject:	Re: [Snort-users] Snort frustration
Date:	Fri, 02 Jun 2006 14:22:46 -0500

Humes, David G. wrote:

I added this rule to look for Google Desktop traffic.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Google
Desktop User-Agent detected"; flow:established,to_server; content:"GET
"; offset:0; depth:4; content:"|0d 0a|User-Agent\: Mozilla/4.0
(compatible\; Google Desktop)"; nocase; threshold:type limit,track
by_src, count 1,seconds 300; classtype:policy-violation; sid:8001018;
rev:1;)

And it appears to have fired on this packet.

Generated by BASE v1.2.4 (melissa) on Fri,  2 Jun 2006 12:14:38 -0400

------------------------------------------------------------------------
------
#(1 - 3031457) [2006-06-02 11:46:34] [local/8001018] [snort/8001018]
Google Desktop User-Agent detected
IPv4: 192.168.1.100 -> 216.239.39.99


dig -x 216.239.39.99

; <<>> DiG 9.3.1 <<>> -x 216.239.39.99
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10374
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;99.39.239.216.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION: 39.239.216.in-addr.arpa. 60 IN SOA ns1.google.com. dns-admin.google.com. 2004031201 21600 3600 1038800 60

whois 216.239.39.99

OrgName:    Google Inc.
OrgID:      GOGL
Address:    1600 Amphitheatre Parkway
City:       Mountain View
StateProv:  CA
PostalCode: 94043
Country:    US

NetRange:   216.239.32.0 - 216.239.63.255
CIDR:       216.239.32.0/19
NetName:    GOOGLE

That's a Google-owned address.  I'm betting it's Google Desktop.

      hlen=5 TOS=0 dlen=83 ID=9124 flags=2 offset=0 TTL=126 chksum=65404
TCP:  port=2181 -> dport: 80  flags=***AP*** seq=395991789
      ack=781565658 off=5 res=0 win=65535 urp=0 chksum=64289
Payload:  length = 43

000 : 47 45 54 20 2F 64 73 6E 65 77 73 3F 6A 3D 36 26   GET /dsnews?j=6&
010 : 68 6C 3D 65 6E 26 65 64 3D 63 6F 6D 26 76 3D 32   hl=en&ed=com&v=2
020 : 20 48 54 54 50 2F 31 2E 31 0D 0A                   HTTP/1.1..

What's on line 030, 040, etc.? Do you have a pcap? It looks like your rule is doing exactly what you would expect it to do, but you're not capturing (or at least seeing in BASE) the remainder of the packet. The UserAgent info follows the GET *and* the HTTP/1.1, so it's further down in the packet.

--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Snort frustration, Humes, David G. Re: [Snort-users] Snort frustration, Joel Esler Re: [Snort-users] Snort frustration, Paul Schmehl <= Re: [Snort-users] Snort frustration, Humes, David G. Re: [Snort-users] Snort frustration, Joel Esler

Previous by Date:	Re: [Snort-users] Snort frustration, Joel Esler
Next by Date:	[Snort-users] Sigs, numbers, performance, and the rule optimizer, Gentoo-Wally
Previous by Thread:	Re: [Snort-users] Snort frustration, Joel Esler
Next by Thread:	Re: [Snort-users] Snort frustration, Humes, David G.
Indexes:	[Date] [Thread] [Top] [All Lists]