Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Signature Lookup Confusion
688 views
Skip to first unread message
Josh Bitto
May 7, 2013, 1:24:27 PM5/7/13
to
I'm having a bit of a problem fully grasping how to search up rules that have been fired.....
2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80
Ok so what I understand from the log is that rule 120 fired. Either I need some caffeine or it's a horrible Tuesday for me to comprehend this, but I'm just not getting it. The instructions on how to search for the group id and the sid for some reason are not sticking. Can someone dumb this down for me....I'm gonna run out and get a pop and hopefully come back to someone who has awesomely helped me out.
Basically I want to be able to search for explanations on whatever event happens so I can determine if I need to take action or not.
Josh
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic] [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80
Ok so what I understand from the log is that rule 120 fired. Either I need some caffeine or it's a horrible Tuesday for me to comprehend this, but I'm just not getting it. The instructions on how to search for the group id and the sid for some reason are not sticking. Can someone dumb this down for me....I'm gonna run out and get a pop and hopefully come back to someone who has awesomely helped me out.
Basically I want to be able to search for explanations on whatever event happens so I can determine if I need to take action or not.
Josh
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Jeremy Hoel
May 7, 2013, 1:29:40 PM5/7/13
to
This is GID 120, SID 8.
So it's not a rule as in snort.rules This gets fired from
preprocessor http_inspect
So it's not a rule as in snort.rules This gets fired from
preprocessor http_inspect
beenph
May 7, 2013, 1:31:36 PM5/7/13
to
[gid:sid:revision]
binf@SINGULAR:~/$ grep "^120" gen-msg.map
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN
HTTP RESPONSE
120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED
TO NORMALIZE
120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET
120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
binf@SINGULAR:~/$ grep "^120" gen-msg.map
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN
HTTP RESPONSE
120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED
TO NORMALIZE
120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET
120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
Jeremy Hoel
May 7, 2013, 1:32:12 PM5/7/13
to
Opps.. early <enter>..
To find out more about that preprocessor, check the source code, under
docs.. you'll see README.http_inspect. Search for Chunk and you get
* chunk_length [non-zero positive integer] *
This option is an anomaly detector for abnormally large chunk sizes. This picks
up the apache chunk encoding exploits, and may also alert on HTTP tunneling that
uses chunk encoding.
Anyways.. the readme explains what the config options are for and how
you might be able to tweak it better.
On Tue, May 7, 2013 at 5:29 PM, Jeremy Hoel <jth...@gmail.com> wrote:
> This is GID 120, SID 8.
>
> So it's not a rule as in snort.rules This gets fired from
> preprocessor http_inspect
>
To find out more about that preprocessor, check the source code, under
docs.. you'll see README.http_inspect. Search for Chunk and you get
* chunk_length [non-zero positive integer] *
This option is an anomaly detector for abnormally large chunk sizes. This picks
up the apache chunk encoding exploits, and may also alert on HTTP tunneling that
uses chunk encoding.
Anyways.. the readme explains what the config options are for and how
you might be able to tweak it better.
On Tue, May 7, 2013 at 5:29 PM, Jeremy Hoel <jth...@gmail.com> wrote:
> This is GID 120, SID 8.
>
> So it's not a rule as in snort.rules This gets fired from
> preprocessor http_inspect
>
Ian Bowers
May 7, 2013, 1:32:47 PM5/7/13
to
This means generator 120, signature 1, revision 1. Â Gen 120 is "HTTP Inspect preprocessor ( Server )", which is consistent with your alert.
Ian Bowers
May 7, 2013, 1:33:48 PM5/7/13
to
See this link
for a list of preprocessor gen IDs and their meanings.
waldo kitty
May 7, 2013, 1:52:28 PM5/7/13
to
On 5/7/2013 13:24, Josh Bitto wrote:
> I'm having a bit of a problem fully grasping how to search up rules that have
> been fired.....
>
> 2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect)
> INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic]
> [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80
>
>
> Ok so what I understand from the log is that rule 120 fired. Either I need
no sir... rule identifiers are in GID:SID:rev format... only the GID:SID are
> I'm having a bit of a problem fully grasping how to search up rules that have
> been fired.....
>
> 2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1] (http_inspect)
> INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification: Unknown Traffic]
> [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80
>
>
> Ok so what I understand from the log is that rule 120 fired. Either I need
really necessary...
the above says Generator 120 fired its rule with SID 8...
Generator 120 is http_inspect...
its rule SID 8 is "INVALID CONTENT-LENGTH OR CHUNCK SIZE"...
these are not "normal" rules like the *.rules files you download... these rules
are built into the processor...
> some caffeine or it's a horrible Tuesday for me to comprehend this, but I'm
> just not getting it. The instructions on how to search for the group id and
> the sid for some reason are not sticking. Can someone dumb this down for
> me....I'm gonna run out and get a pop and hopefully come back to someone who
> has awesomely helped me out.
> Basically I want to be able to search for explanations on whatever event
> happens so I can determine if I need to take action or not.
you can look at the content of the network traffic that triggered the rule...
snort should have saved a pcap for you and this particular entry will likely be
inside a large pcap containing other saved traffic from other alerts... you use
the timestamp to determine the proper packet to look at and then work it from
there...
FWIW: i've someone who is a client on a large Canadian cable network and they
are getting hit by tons of these... we haven't yet determined why, though...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
Josh Bitto
May 7, 2013, 2:02:14 PM5/7/13
to
Thanks everyone! Yes it does help....No I haven't been able to go get my pop yet.....I'm kinda panicking at the moment about this
2013-05-07T10:38:26-07:00 firewall snort[62223]: [1:2010645:9] ET POLICY User-Agent (Launcher) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
I've tried to do a search to find the definition of it and see why this fired. I don't want to block something that might be a false positive. Although the above has no hint of being a false positive I want to act on this quickly.
So I went here...
http://www.snort.org/search/
put in the 2010645...nothing came up.....put in the 1....nothing came up. That's my hang up right now is doing a search for reference of what a sid/gid happens....I want to be able to search it up and see by definition what is going on.
2013-05-07T10:38:26-07:00 firewall snort[62223]: [1:2010645:9] ET POLICY User-Agent (Launcher) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
I've tried to do a search to find the definition of it and see why this fired. I don't want to block something that might be a false positive. Although the above has no hint of being a false positive I want to act on this quickly.
So I went here...
http://www.snort.org/search/
put in the 2010645...nothing came up.....put in the 1....nothing came up. That's my hang up right now is doing a search for reference of what a sid/gid happens....I want to be able to search it up and see by definition what is going on.
Jeremy Hoel
May 7, 2013, 2:18:10 PM5/7/13
to
Don't panic! Grab your towel and it will all be ok.
Anything with a SID of 1 will have a normal rule file.. so if you use
the default pulledpork and have all your rules in one file, then grep
snort.rules for 2010645 and you'll see
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
User-Agent (Launcher)"; flow: to_server,established;
content:"Launcher"; http_header; nocase;
pcre:"/User-Agent\x3a[^\n]+Launcher/iH";
reference:url,doc.emergingthreats.net/2010645;
classtype:trojan-activity; sid:2010645; rev:9;)
Do you have the packet data for the tripped alert? Is the Launcher
part of the user agent or maybe in a cookie or a refer? that kin of
stuff really helps figure out if it's a FP or not.
Also, since this is a ET rule, I don't think it would work on the
snort rule search.
Anything with a SID of 1 will have a normal rule file.. so if you use
the default pulledpork and have all your rules in one file, then grep
snort.rules for 2010645 and you'll see
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
User-Agent (Launcher)"; flow: to_server,established;
content:"Launcher"; http_header; nocase;
pcre:"/User-Agent\x3a[^\n]+Launcher/iH";
reference:url,doc.emergingthreats.net/2010645;
classtype:trojan-activity; sid:2010645; rev:9;)
Do you have the packet data for the tripped alert? Is the Launcher
part of the user agent or maybe in a cookie or a refer? that kin of
stuff really helps figure out if it's a FP or not.
Also, since this is a ET rule, I don't think it would work on the
snort rule search.
Joel Esler
May 7, 2013, 2:22:19 PM5/7/13
to
This was a User-Agent seen from the Gozi Trojan IIRC. Probably 3 years old or so now, not sure how much use it is to identify Gozi anymore. Although…
Josh Bitto
May 7, 2013, 2:51:05 PM5/7/13
to
I think my hang up on this is the way that I have it setup....
Pfsense/withsnort->to syslog server/with OSSEC monitoring logs. I think what it is doing is reading the log content and seeing Trojan and then alerting based on it.
So that's why I'm needing a reference guide for each rule/preprocessor...etc...so that I can look it up and say....oh this is ok or no I have a problem.
-----Original Message-----
From: Joel Esler [mailto:jes...@sourcefire.com]
Sent: Tuesday, May 07, 2013 11:22 AM
To: Jeremy Hoel
Cc: Josh Bitto; snort...@lists.sourceforge.net; waldo kitty
Subject: Re: [Snort-users] Signature Lookup Confusion
This was a User-Agent seen from the Gozi Trojan IIRC. Probably 3 years old or so now, not sure how much use it is to identify Gozi anymore. Although...
Pfsense/withsnort->to syslog server/with OSSEC monitoring logs. I think what it is doing is reading the log content and seeing Trojan and then alerting based on it.
So that's why I'm needing a reference guide for each rule/preprocessor...etc...so that I can look it up and say....oh this is ok or no I have a problem.
-----Original Message-----
From: Joel Esler [mailto:jes...@sourcefire.com]
Sent: Tuesday, May 07, 2013 11:22 AM
To: Jeremy Hoel
Cc: Josh Bitto; snort...@lists.sourceforge.net; waldo kitty
Subject: Re: [Snort-users] Signature Lookup Confusion
Josh Bitto
May 8, 2013, 2:17:16 PM5/8/13
to
Joel,
Quick question.....Your response did you mean to say Gozi Trojan IRC or IIRC? I think it might have been a typo......Well looking at the logs just from the flow of alerts I get IRC chat policy attempts....plus this one.
Quick question.....Your response did you mean to say Gozi Trojan IRC or IIRC? I think it might have been a typo......Well looking at the logs just from the flow of alerts I get IRC chat policy attempts....plus this one.
Joel Esler
May 8, 2013, 4:36:41 PM5/8/13
to
IIRC -> If I remember correctly.
0 new messages