Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Question on port lists and negation

from [Richard Bejtlich] Network Security [Permanent Link]
Subject: [Snort-users] Question on port lists and negation
Date: Mon, 8 Oct 2007 15:59:15 -0400 
Hello,

As I mentioned to roesch and WuTang in IRC, I am playing with port
lists and negation.

Say I create this snort.conf:

portvar MY_HTTP_PORTS [80,81,82,83,88,8000,8008,8080]
alert tcp any any -> any !$MY_HTTP_PORTS (msg:"Example Not"; sid:4;)

To test this variable and rule I use Netcat:

$ nc -v 192.168.2.103 8000
nc: connect to 192.168.2.103 port 8000 (tcp) failed: Connection refused

Netcat generates this traffic.

16:52:32.370899 IP 192.168.2.105.50970 > 192.168.2.103.8000:
 S 3574479912:3574479912(0) win 65535
 <mss 1460,nop,wscale 1,nop,nop,timestamp 2620575 0,sackOK,eol>

16:52:32.370903 IP 192.168.2.103.8000 > 192.168.2.105.50970:
 R 0:0(0) ack 3574479913 win 0

Snort reports these alerts.

10/08-16:56:26.358386  [**] [1:4:0] Example Not [**] [Priority: 0]
{TCP} 192.168.2.105:50970 -> 192.168.2.103:8000
10/08-16:56:26.358527  [**] [1:4:0] Example Not [**] [Priority: 0]
{TCP} 192.168.2.103:8000 -> 192.168.2.105:50970

That doesn't look right.  Why did the first alert fire?  You do not
want to see traffic to port 8000 TCP, yet you got an alert.  The
second alert fired because the RST ACK was sent to port 50970 TCP,
which is not in the port variable list.

Let's try another angle in a new snort.conf.

portvar NOT_MY_HTTP_PORTS [!80,!81,!82,!83,!88,!8000,!8008,!8080]
alert tcp any any -> any $NOT_MY_HTTP_PORTS (msg:"Example Not"; sid:5;)

Again use Netcat to generate traffic.

$ nc -v 192.168.2.103 8000
nc: connect to 192.168.2.103 port 8000 (tcp) failed: Connection refused

It looks like this.

16:56:11.091099 IP 192.168.2.105.53298 > 192.168.2.103.8000:
 S 2235929694:2235929694(0) win 65535
 <mss 1460,nop,wscale 1,nop,nop,timestamp 2642448 0,sackOK,eol>

16:56:11.095002 IP 192.168.2.103.8000 > 192.168.2.105.53298:
 R 0:0(0) ack 2235929695 win 0

This time, Snort reports only one alert.

10/08-17:00:07.050091  [**] [1:5:0] Example Not [**] [Priority: 0]
{TCP} 192.168.2.103:8000 -> 192.168.2.105:53298

This is the desired behavior.  Snort ignored the SYN packet to port
8000 TCP but it fired on the return traffic.

Is this is a logic issue?

This does not negate (oww, bad pun) the fact that port lists are very helpful.

Thank you,

Richard

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Don't log events from local interface, co street
Next by Date:  Re: [Snort-users] Question on port lists and negation, Matt Kettler
Previous by Thread:  [Snort-users] Don't log events from local interface, co street
Next by Thread:  Re: [Snort-users] Question on port lists and negation, Matt Kettler
Indexes:  [Date] [Thread] [Top] [All Lists]