Download Firefox: WindowsMac OS X
logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>

Question for the experts: msg#00006

Subject: Question for the experts
We're getting the following alerts from an instance of snort that is using barnyard to feed mysql (FreeBSD - snort 2.1.3 - barnyard 0.2.0 - mysql 3.23.58. 

bash-2.05b# grep output /usr/local/etc/snort_special.conf | grep -v "#"
output log_unified: filename snort_special.log, limit 128

bash-2.05b# grep output /usr/local/etc/barnyard.conf | grep -v "#"
output log_acid_db: mysql, database snort_special, server localhost, user user, password password, detail full
Alert number Priority:sid:rev Most recent alert Source IP 
Dest IP  Protocol
#0-(1-691753) [snort] Snort Alert [1:2147483647:0] 2004-11-04 23:06:42 129.110.20.1:143 24.1.206.36:3918 TCP
#1-(1-691754) [snort] Snort Alert [1:2147483647:0] 2004-11-04 23:07:01 129.110.20.1:143 24.1.206.36:3918 TCP
#2-(1-691755) [snort] Snort Alert [1:2147483647:0] 2004-11-04 23:07:55 129.110.10.12:41341 206.16.192.227:25 TCP
After examining the payloads, it was determined that these were triggered by an alert we wrote yesterday.
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg: "DMCA Violation - Still Standing"; classtype: misc-activity; content: "still.standing.s03e06.hdtv-lol"; sid: 10000000033; rev: 1;) 

The alert *is* in the sid-msg.map.

bash-2.05b# grep 10000000033 /usr/local/share/snort/sid-msg_special.map
10000000033 || DMCA Violation - Still Standing

So I grepped the rules directory for this number, and this is what I found.

bash-2.05b# grep 2147483647 /usr/local/share/snort/*
/usr/local/share/snort/deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;)
/usr/local/share/snort/deleted.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;)
/usr/local/share/snort/deleted.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;)
/usr/local/share/snort/deleted.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;)
/usr/local/share/snort/pop3.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;) 

Here's the rules files that this instance of snort is using:
# Step #4: Customize your rule set
#
include $RULE_PATH/special.rules
include $RULE_PATH/dmca.rules
include $RULE_PATH/test.rules
#include $RULE_PATH/trojan-irc.rules
Note that neither the deleted.rules nor the pop3.rules files are being "read" by this instance of snort.
What the heck is going on here? This number is not even the sid for a rule nor is it in a rule file that this instance should be reading. How is barnyard picking this up byte test integer? 

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Barnyard over SSL, Michael Scheidell
Next by Date:  Re: Question for the experts, Andrew R. Baker
Previous by Thread:  Anyone have a similar setup? :-), M. Shirk
Next by Thread:  Re: Question for the experts, Andrew R. Baker
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
emacs.dvc.devel...    java.displaytag...    ietf.rfc822/199...    linux.altlinux....    redhat.fedora.r...    python.ctypes/2...    video.panorama/...    freedesktop.xor...    audio.emagic.lo...    netbsd.devel.us...    documentation.t...    yellowdog.gener...    gnome.mono.mono...    bacula.user/200...    shells.bash.bug...    xfree86.devel/2...    culture.bicycle...    mozilla.devel.n...    web.squid.gener...    user-groups.gul...    kde.amarok.bugs...    org.user-groups...    handhelds.linux...    tex.context/200...   
Home | blog view, Court Document Archive | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo