Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 04 > 031550.html (Request Expert snort.org Support)

[Snort-sigs] Some intresting stats on base components of rules

From: Sean Wheeler <s.wheeler(at)netprotect.ch>
Date: Wed Mar 31 2004 - 14:11:22 EST


Hi,

I am presently building a component which will dynamically assign rules based on passive OS fingerprinted hosts. Part of this process involves building a couple arrays and stats.... having a look below you will notice some intresting/strangeness in the rules (2.1.1 latest snapshot 3 rules omitted )

I am sending this in the hope it will aid our sig maintainers, if there are any other stats you would like to see please pop me a mail as I am presently doing plenty of this kind of thing.

regards

Sean

and below the details :

What I spotted already was :

var shellcode_ports ( in src_port) is used BUT there is also occurences where port !80 is hardcoded these are sid's :

Do you need help?X

+------+
| sid |
+------+
| 145 |
+------+

var http_ports( in src_port) is used BUT there is also occurences where port 80 is hardcoded these are sid's :
+------+
| sid |
+------+ 

|  106 |
| 1832 |
|  112 |
|  283 |
|  488 |
| 1437 |
| 1438 |
| 1439 |
| 1440 |

+------+

var shellcode_ports ( in dst_port) is used BUT there is also occurences where port !80 is hardcoded these are sid's :

+------+
| sid |
+------+
| 1432 |
+------+

var http_ports( in dst_port) is used BUT there is also occurences where port 80 is hardcoded these are sid's :
+------+
| sid |
+------+ 

| 1121 |
|  855 |
| 1619 |
| 1114 |
| 1749 |
| 1545 |
|  311 |
| 1436 |
|  619 |

+------+

PROTCOL COUNT :2276
Array
(

[tcp] => 1862
[ip] => 44
[udp] => 237
[icmp] => 133

)
SRC IP COUNT :2276
Array
(

[home_net] => 113
[http_servers] => 13
[any] => 106
[external_net] => 2010
[255.255.255.0/24] => 2

Do you need more help?X

[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] => 3

[3.3.3.3/32] => 1
[smtp_servers] => 19
[63.251.224.177] => 1
[sql_servers] => 2
[telnet_servers] => 6

)
SRC PORT COUNT :2276
Array
(

[any] => 1975
[http_ports] => 44
[8002] => 1
[749] => 1
[751] => 1
[22] => 3
[512] => 1
[!21:23] => 1
[27374] => 1
[16959] => 1
[12345:12346] => 1
[20034] => 1
[2140] => 8
[3150] => 3
[4120] => 2
[6789] => 1
[1024:] => 1
[2589] => 1
[80] => 9
[146] => 2
[666] => 2
[1000:1300] => 1
[31785] => 1
[!80] => 1
[30100] => 1
[6969] => 1
[5401:5402] => 1
[23476] => 1
[30100:30102] => 1
[5031] => 1
[3344] => 1
[3345] => 1
[5714] => 1
[555] => 1
[31790] => 1
[6666:7000] => 1
[12754] => 1
[15104] => 1
[5631] => 1
[6000:6005] => 1
[12346] => 1
[60000] => 55
[110] => 74
[53] => 3
[19] => 1
[21] => 2
[4000] => 4
[23] => 9
[20] => 1
[5631:5632] => 1
[7161] => 1
[2002] => 1
[49] => 2
[500] => 1
[2401] => 7
[119] => 1
[902] => 1
[2998] => 1
[8888] => 1
[25] => 2
[513] => 2
[10101] => 1
[shellcode_ports] => 22
[113] => 1
[1433] => 1
[139] => 1

)
DST IP COUNT :2276
Array
(

[external_net] => 151
[any] => 101
[home_net] => 876
[telnet_servers] => 21
[216.80.99.202] => 1
[212.146.0.34] => 1
[127.0.0.0/8] => 1
[232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] => 1

[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] => 2

[http_servers] => 1007
[sql_servers] => 66
[smtp_servers] => 45
[64.245.58.0/23] => 1
[255.255.255.255] => 2
)
DST PORT COUNT :2276
Array
(

[any] => 471
[12345:12346] => 1
[2140] => 54
[3150] => 3
[4120] => 1
[1094] => 1
[2589] => 1
[1024:] => 7
[1054] => 1
[7597] => 1
[1000:1300] => 1
[146] => 1
[21554] => 1
[666] => 1
[5032] => 1
[!53:80] => 1
[3345] => 1
[3344] => 1
[79] => 16
[23] => 21
[31789] => 1
[35555] => 1
[33270] => 1
[1963] => 1
[34012] => 1
[3127:3199] => 1
[0] => 2
[1863] => 6
[6666:7000] => 8
[31335] => 3
[20432] => 1
[27665] => 3
[27444] => 1
[18753] => 1
[20433] => 1
[6838] => 1
[10498] => 3
[12754] => 1
[15104] => 1
[27374] => 2
[80] => 9
[http_ports] => 1025
[oracle_ports] => 26
[143] => 25
[119] => 11
[67] => 5
[12346] => 1
[31337] => 1
[60000] => 9
[53] => 18
[21] => 90
[32771:34000] => 4
[111] => 69
[32771] => 3
[634:1400] => 1
[22] => 7
[32770:] => 2
[139] => 47
[25] => 65
[110] => 22
[7] => 2
[7070] => 2
[8080] => 8
[161] => 12
[9] => 1
[617] => 1
[135:139] => 1
[3372] => 1
[6004] => 1
[6789:6790] => 1
[2766] => 1
[515] => 3
[6373] => 1
[9090] => 2
[123] => 1
[518] => 1
[635] => 3
[2224] => 1
[4242] => 1
[4321] => 1
[6112] => 1
[32772:34000] => 1
[749] => 3
[751] => 3
[1655] => 2
[500] => 10
[3535] => 2
[:1023] => 2
[1417] => 1
[5631] => 1
[70] => 1
[177] => 2
[1900] => 3
[7001] => 1
[32000] => 1
[443] => 1
[2002] => 1
[3389] => 3
[2533] => 1
[27155] => 1
[7100] => 1
[873] => 2
[2401] => 1
[1723] => 2
[179] => 2
[3306] => 2
[135] => 4
[445] => 11
[8888] => 6
[!80] => 1
[6699] => 1
[7777] => 1
[6666] => 1
[5555] => 1
[8875] => 1
[1214] => 1
[6881:6889] => 1
[5632] => 1
[9100] => 1
[9000:9002] => 1
[5800:5802] => 1
[49] => 2
[109] => 4
[500:] => 6
[513] => 5
[514] => 4
[512] => 1
[113] => 1
[3128] => 1
[1080] => 1
[10080:10081] => 1
[161:162] => 2
[162] => 4
[705] => 1
[1433] => 18
[1434] => 4
[69] => 11
[1220] => 2
[3000] => 1
[8181] => 2
[4080] => 1
[8000] => 1
[457] => 1
[2301] => 2
[1812] => 1
[8000:8001] => 1
[554] => 1
[6000] => 2

)


This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Mar 31 15:06:54 2004

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:44 EDT

Can we help you?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library