Preprocessors were introduced in Snort v1.5. Preprocessor code is run before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism. Preprocessors help in identifying possible attack packets before rules are applied, after the preprocessing stage various rules are applied on the packets (raw data) for detecting attacks based on the pattern matches. Preprocessors need to be configured from snort.conf file which can be found at /etc/ or /etc/snort/. frag2 should be commented if frag3 is used and stream4 is commented if stream5 is used.
preprocessor frag2
preprocessor frag3 // IP packet reassembly or defragmentation
preprocessor http_decode // http normalization of url-encoded data
preprocessor rpc_decode
preprocessor bo // back orifice backdoor traffic detection
preprocessor telnet_decode
preprocessor sf_portscan // detects various portscans
preprocessor sf_ssh
preprocessor sf_smtp
preprocessor sf_ftptelnet
preprocessor sf_dns
preprocessor sf_dcerpc
preprocessor sf_ssl
Snort also has Postprocessors or output plug-ins. These are the snort processors/plug-ins that determine what to do after traffic is identified as malicious based on pre-processors or rules. Popular post-processors are those that send snort alerts and log data to databases; those which allow SNMP event messaging etc.
Snort Alerts
Snort alerts logged onto a logfile look like (there may be different alerts in your environment)
[**] [1:2050:14] SQL version overflow attempt [**]
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
The first number (1, 122, 119 here) is the Generator ID, this tells the user what component of Snort generated this alert. List of GIDs can be found at etc/generators in the Snort source.
Generators file has the format shown below
generatorid || alertid || MSG
Below diagram shows the generator id, alert id or snort id and alert name.
<!--[if !vml]-->
<!--[if !vml]--><!--[endif]-->
Any alert under ARP Spoofing and spp_fnord will have a Generator ID's of 112 and 114 respectively.
<!--[endif]-->
The second number (2050, 8428, 3, 4 here) is the Snort ID (or Signature ID). For a list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are written directly into the rules with the “sid” option.
The third number (14, 9, 0, 1 from above alerts) is the revision ID. This number is primarily used when writing signatures, as each re-edition or fine tuning of the rule should increment this number with the “rev” option. e.g. " SQL version overflow attempt" signature is modified 14 times !!!
This was a Phishing mail related to twitter in my SPAM box, out of curiosity I opened this mail to dig deeper. Sample mail cam be seen in the picture below.
When you take mouse over the URL in the mail or on to "Twitter Support" link we can see the Phishing URL.
http://84.51.21.51/~chatliam/mepw.html
Opening the link will redirect us to
http://tirearoma.com/
Didn't find anything malicious in the tirearoma.com page. The Phishing might be just to increase hits to "tirearoma.com", pay-per-click !!!
The redirected page has plethora of capsules related to Viagra etc. etc.
Following is the SPAM mail which most of us has received and many ended up in replyingto it.
Dearest One,
Good a thing to write you. I have a proposal for you; this however is not mandatory nor will I in any manner compels you to honour against your will.
I am Aisha Al- Salam, 23years old and the only daughter of my late parents Mr.and Mrs.Hassan Al-salam my father was a highly reputable business magnet - (a cocoa merchant) who operated in the capital of Cote D Ivorie during his days.
It is sad to say that he passed away mysteriously in France during one of his business trips abroad year 12th.Febuary 2007. Though his sudden death was linked or rather suspected to have been masterminded by an uncle of his who travelled with him at that time. But God knows the truth! My mother left me when I was just 4 years old, and since then my father took me so special.
Before his death on February 12th 2007 he called his secretary who accompanied him to the hospital and told him that he has the sum of 7.5 million, United States Dollars.(USD$7,500.000 ) left in one of the Leading Bank in Cote D Ivorie and he deposited the money in my name in the bank as the next kins.
I am just 23 years old and a university undergraduate and really don't know what to do. Now I want a foreign partner overseas where I can transfer this fund. This is because I have suffered a lot of set backs as a result of incessant political crisis here in Cote D Ivorie . The death of my father actually brought sorrow to my life.
Sir, I am in a sincere desire of your humble assistance in this regards.Your suggestions and ideas will be highly regarded. Now permit me to ask these few questions:-
1. Can you honestly help me as your daughter? 2. Can I completely trust you? I have decided to offer you 30% of the total amount for your willingness to help me, Please kindly response to my mail immediately with your full personal information, telephone number so that I can call and speak with you on the telephone.
Please, consider this and get back to me as soon as possible.
Below is the SPAM mail which I received in my INBOX. To make it realistic spammers had gone one step ahead and provided with contact numbers and few images to make it realistic and entice users to give their personal information. FROM THE DESK OF THE DIRECTOR: UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT
WINNING NOTIFICATION FOR CATEGORY "A" WINNER ONLY
Amount Won: £1,000,000.00 Pounds
Dear Lucky winner,
We are glad to inform you that you have won a prize money of One Million Great Britain Pound Sterlings (£1,000,000.00) in our last lottery promotional draw.
We are pleased to inform you of the final announcement of the result in UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT. Your email address was selected by our Electronic Random Selection System (ERSS) from an exclusive list of e-mail addresses of individual and corporate bodies. No tickets were sold.
With Ref.Number: GP 14-M-246-04, Batch Number: 573881545-UK/2010 Ticket Number: PP3502/8707-01.
CONGRATULATIONS!!!: To file for Your Claims Please contact. ******************************************** Name: MR JOSEPH POUNCH Tel:+447014275315 Email: josephpounch18@gmail.com ******************************************* However you will have to fill and submit this form to the events manager for verification & direction on how you canclaim your winning fund. Fill the Details Below: 1. Full name............... 2. Contact Address...... 3. Age......................... 4. Mobile Number......... 5. Marital Status.......... 6. Sex......................... 7. Occupation.............. 8. Company................ 9.State:...................... 10.Country.................. 11.Nationality............... 12.Address................. 13.Valid ID Proof (Send as email attachment) Your Reference and Batch number at the top of this mail:
Mrs Vivian Jones. Lottery Coordinator
Most of the netizens fall pray for this and end up providing their information. Above details can be used to crack passwords with intelligent guesses.
Before providing information in reply to such mails think once, "who the hell in this world is going to give free money !!! "
