[Oisf-devel] UDP rule triggering on wrong port
Chris Wakelin
c.d.wakelin at reading.ac.uk
Wed Mar 30 13:54:03 UTC 2011
On 08/02/11 18:13, Chris Wakelin wrote:
>>> (I've also got a UDP rule occasionally triggering on the wrong port;
>>> I'll see if I can get a packet dump for that.)
>>
>> I'd love to get more details on this.
>>
>> Cheers,
>> Victor
>>
>
> Hmm, interestingly I haven't seen the UDP problem (on the Srzibi
> emerging-trojans rule; destination port should be 1024 but it was
> hitting randomly) since I updated yesterday, either.
>
Actually it was because emerging-trojan.rules dropped out of my
suricata.yaml :(. I think it's missing in the latest git master sample too.
Anyway, I've got a packet capture to reproduce it (attached). It's
hitting the rule:
> alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; content:!"|00|server."; offset:44; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Srizbi; sid:2007711; rev:9;)
which should only match on destination port 1024.
The traffic was probably peer-to-peer filesharing of some kind ...
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
-------------- next part --------------
A non-text attachment was scrubbed...
Name: srizbi-fp.pcap
Type: application/cap
Size: 180 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110330/34cd626a/attachment.bin>
More information about the Oisf-devel
mailing list