|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joel Esler (jesler
sourcefire.com)
Date: Tue May 07 2013 - 13:22:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This was a User-Agent seen from the Gozi Trojan IIRC. Probably 3 years old or so now, not sure how much use it is to identify Gozi anymore. Although…
On May 7, 2013, at 2:18 PM, Jeremy Hoel <jthoelgmail.com> wrote:
> Don't panic! Grab your towel and it will all be ok.
>
> Anything with a SID of 1 will have a normal rule file.. so if you use
> the default pulledpork and have all your rules in one file, then grep
> snort.rules for 2010645 and you'll see
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY
> User-Agent (Launcher)"; flow: to_server,established;
> content:"Launcher"; http_header; nocase;
> pcre:"/User-Agent\x3a[^\n]+Launcher/iH";
> reference:url,doc.emergingthreats.net/2010645;
> classtype:trojan-activity; sid:2010645; rev:9;)
>
>
> Do you have the packet data for the tripped alert? Is the Launcher
> part of the user agent or maybe in a cookie or a refer? that kin of
> stuff really helps figure out if it's a FP or not.
>
>
> Also, since this is a ET rule, I don't think it would work on the
> snort rule search.
>
>
>
> On Tue, May 7, 2013 at 6:02 PM, Josh Bitto <jbittoonlineschool.ca> wrote:
>> Thanks everyone! Yes it does help....No I haven't been able to go get my pop yet.....I'm kinda panicking at the moment about this
>>
>> 2013-05-07T10:38:26-07:00 firewall snort[62223]: [1:2010645:9] ET POLICY User-Agent (Launcher) [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
>>
>> I've tried to do a search to find the definition of it and see why this fired. I don't want to block something that might be a false positive. Although the above has no hint of being a false positive I want to act on this quickly.
>>
>> So I went here...
>> http://www.snort.org/search/
>>
>> put in the 2010645...nothing came up.....put in the 1....nothing came up. That's my hang up right now is doing a search for reference of what a sid/gid happens....I want to be able to search it up and see by definition what is going on.
>>
>>
>>
>> -----Original Message-----
>> From: waldo kitty [mailto:wkitty42windstream.net]
>> Sent: Tuesday, May 07, 2013 10:52 AM
>> To: snort-userslists.sourceforge.net
>> Subject: Re: [Snort-users] Signature Lookup Confusion
>>
>> On 5/7/2013 13:24, Josh Bitto wrote:
>>> I'm having a bit of a problem fully grasping how to search up rules
>>> that have been fired.....
>>>
>>> 2013-05-07T10:14:05-07:00 firewall snort[62223]: [120:8:1]
>>> (http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE [Classification:
>>> Unknown Traffic]
>>> [Priority: 3] {TCP} 209.97.200.53:32459 -> 216.178.47.38:80
>>>
>>>
>>> Ok so what I understand from the log is that rule 120 fired. Either I
>>> need
>>
>> no sir... rule identifiers are in GID:SID:rev format... only the GID:SID are really necessary...
>>
>> the above says Generator 120 fired its rule with SID 8...
>>
>> Generator 120 is http_inspect...
>>
>> its rule SID 8 is "INVALID CONTENT-LENGTH OR CHUNCK SIZE"...
>>
>> these are not "normal" rules like the *.rules files you download... these rules are built into the processor...
>>
>>> some caffeine or it's a horrible Tuesday for me to comprehend this,
>>> but I'm just not getting it. The instructions on how to search for the
>>> group id and the sid for some reason are not sticking. Can someone
>>> dumb this down for me....I'm gonna run out and get a pop and hopefully
>>> come back to someone who has awesomely helped me out.
>>
>> does the above help?
>>
>>> Basically I want to be able to search for explanations on whatever
>>> event happens so I can determine if I need to take action or not.
>>
>> this is where you might need to break out a pcap viewing tool like wireshark so you can look at the content of the network traffic that triggered the rule...
>> snort should have saved a pcap for you and this particular entry will likely be inside a large pcap containing other saved traffic from other alerts... you use the timestamp to determine the proper packet to look at and then work it from there...
>>
>>
>> FWIW: i've someone who is a client on a large Canadian cable network and they are getting hit by tons of these... we haven't yet determined why, though...
>>
>> --
>> NOTE: No off-list assistance is given without prior approval.
>> Please keep mailing list traffic on the list unless
>> private contact is specifically requested and granted.
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now.
>>
>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their applications. This 200-page book is written by three acclaimed
>> leaders in the field. The early access version is available now.
>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]