[Oisf-users] 802.3 Spanning Tree Protocol (STP) Packet triggers unrelated Signature

Victor Julien lists at inliniac.net
Mon Jul 4 13:09:24 UTC 2016 

On 04-07-16 15:02, christoph.wiederkehr at post.ch wrote:
> Hi List,
> 
>  
> 
> I recently noticed, that a couple of signatures trigger quite often, but
> the eve log does not show the details (source/destination) it usually does.
> 
>  
> 
> {
> 
>   "timestamp": "2016-07-04T14:07:36.256364+0200",
> 
>   "alert": {
> 
>     "action": "allowed",
> 
>     "gid": 1,
> 
>     "signature_id": 2404022,
> 
>     "rev": 4278,
> 
>     "signature": "ET CNC Shadowserver Reported CnC Server IP group 23",
> 
>     "category": "A Network Trojan was detected",
> 
>     "severity": 1
> 
>   }
> 
> }
> 
>  
> 
> The fast log shows some detail about the raw packet
> 
>  
> 
> 07/04/2016-14:07:36.256364  [**] [1:2404022:4278] ET CNC Shadowserver
> Reported CnC Server IP group 23 [**] [Classification: A Network Trojan
> was detected] [Priority: 1] [**] [Raw pkt: 01 80 C2 00 00 00 00 1C 58 BE
> 88 90 00 27 42 42 03 00 00 02 02 3C 8F 10 00 1B 2B 09 7C 00 00 00 ]
> 
>  
> 
> Google shows that others have had similar Problems in the past:
> 
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-March/003570.html
> 
>  
> 
> I captured some traffic (I can upload/send the pcap to someone/somewhere
> if needed) and Wireshark says it is a Spanning Tree Protocol Packet in a
> 802.3 Ethernet Frame. I do not understand why the ET Signature is
> triggering:
> 
>  
> 
> alert ip $HOME_NET any ->
> [213.114.67.147,213.165.242.16,213.168.249.130,213.17.153.11,213.193.246.34,213.200.94.170,213.230.192.163,213.239.193.176,213.249.68.98,216.152.78.166,216.18.189.186]
> any (msg:"ET CNC Shadowserver Reported CnC Server IP group 23";
> reference:url,doc.emergingthreats.net/bin/view/Main/BotCC;
> reference:url,www.shadowserver.org; threshold: type limit, track by_src,
> seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP;
> classtype:trojan-activity; sid:2404022; rev:4278;)
> 
>  
> 
> Is this a configuration issue? Or is suricata misinterpreting the packet?

Likely a Suricata issue. Could you email me the pcap?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list