[Oisf-devel] UDP rule triggering on wrong port
Victor Julien
victor at inliniac.net
Wed Mar 30 14:00:16 UTC 2011
On 03/30/2011 03:54 PM, Chris Wakelin wrote:
> On 08/02/11 18:13, Chris Wakelin wrote:
>>>> (I've also got a UDP rule occasionally triggering on the wrong port;
>>>> I'll see if I can get a packet dump for that.)
>>>
>>> I'd love to get more details on this.
>>>
>>> Cheers,
>>> Victor
>>>
>>
>> Hmm, interestingly I haven't seen the UDP problem (on the Srzibi
>> emerging-trojans rule; destination port should be 1024 but it was
>> hitting randomly) since I updated yesterday, either.
>>
>
> Actually it was because emerging-trojan.rules dropped out of my
> suricata.yaml :(. I think it's missing in the latest git master sample too.
>
> Anyway, I've got a packet capture to reproduce it (attached). It's
> hitting the rule:
>
>> alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; content:!"|00|server."; offset:44; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Srizbi; sid:2007711; rev:9;)
>
> which should only match on destination port 1024.
Actually, no. 1024: is a short way of writing 1024 and up. So it should
match on any unprivileged port: 1024-65535.
Cheers,
Victor
> The traffic was probably peer-to-peer filesharing of some kind ...
>
> Best Wishes,
> Chris
>
>
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list