OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [snort] Can't get whisker scan to log
From: Joey McAlerney (joeySiliconDefense.com)
Date: Thu Mar 02 2000 - 14:37:59 CST

Hi everyone,

I can not figure out why snort won't generate an alert on this. The two
rules are slight modifications of a rule from Rapidnet. The only
difference between the two is the space between HEAD and /./ in the
content.

alert tcp any any -> $HOME_NET 80 (msg:"SCAN-Whisker!"; flags:PA;
content:"HEAD /./";)
alert tcp any any -> $HOME_NET 80 (msg:"SCAN-Whisker!"; flags:PA;
content:"HEAD/./";)

I caught this packet running snort in verbose mode... (HOME_NET is
yy.yyy.yyy.yyy/32)

03/02-12:16:05.130434 xxx.xx.xxx.xxx:40844 -> yy.yyy.yyy.yyy:80
TCP TTL:52 TOS:0x0 ID:8375 DF
*****PA* Seq: 0x705A36BB Ack: 0x86C0E2A3 Win: 0x7D78
TCP Options => NOP NOP TS: 25179137 256372999
48 45 41 44 20 2F 2E 2F 20 48 54 54 50 2F 31 2E HEAD /./ HTTP/1.
30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 0..User-Agent: M
6F 7A 69 6C 6C 61 2F 34 2E 37 20 5B 65 6E 5D 20 ozilla/4.7 [en]
28 57 69 6E 39 35 3B 20 55 29 0D 0A 52 65 66 65 (Win95; U)..Refe
72 65 72 3A 20 68 74 74 70 3A 2F 2F 36 33 2E 31 rer: http://yy.y
39 33 2E 31 30 30 2E 31 30 31 2F 0D 0A 43 6F 6E yy.yyy.yyy/..Con
6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close..
0D 0A

The alert didn't go off.

In RULES.USAGE it states, "The content string will be matched against
data contained in the packet payload." I don't see how this can be an
exact match, but that would explain why the alert isn't going off.
Perhaps someone could clarify this for me.

I am running 1.6beta10.1 on RH 6.1. Snort was called with -D -d -c
blah.rules. Oh, and I ran Whisker 1.3.0a like this:

    whisker.pl -I 2 -h yy.yyy.yyy.yyy

Thanks,

-Joey