Skip to content

Sourcefire IPS

Constructor : Cisco

Device : Sourcefire 3D Sensors

Theoretical injector performance

22141 EPS

Log format : IS

exemple 1 : TOTOHOST SNORT[2500]: [1:1418:11] SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.116.28.60:40949 -> 10.116.24.225:161

exemple 2: TOTOHOST256 SNORT[2600]: [1:1852:3] WEB-MISC robots.txt access [Classification: Access to a Potentially Vulnerable Web Application] [Priority: 2] {TCP} 10.116.28.60 -> 10.116.24.225

exemple 3: HOSTNAME SNORT: [1:993:11] WEB-IIS iisadmin access [Classification: Web Application Attack] [Priority: 1] {TCP} 10.116.28.60:51218 -> 10.116.24.225:80

exemple 4: HOSTNAME SNORT[2500]: [1:3000:4] NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.116.28.60:2110 -> 10.116.24.225:139

+----------------+-------------------+---------------------------------+ | Constructor | LMC field | sample logs | | field | | | +================+===================+=================================+ | SensorName | [obs][host][ | > SENSOR-52 SNORT[2500] | | | name] | | +----------------+-------------------+---------------------------------+ | SFIMS[program | [obs][process\ | SNORT [2500]: | | ] | ][name] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | SFIMS[pid] | [obs][process\ | SNORT[2500]: | | | ][id] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | Signature | [sourcefire][s | 1418:11] SNMP request tcp | | | ignature] | [Classification | +----------------+-------------------+---------------------------------+ | classification | [alarm][name] | > Classification: Web | | | | > Application Attack | +----------------+-------------------+---------------------------------+ | priority | [alarm][sev] | > [Priority: 2] | +----------------+-------------------+---------------------------------+ | protocol | [app][proto]\ | > [Priority: 3] {TCP} | | | [name] | > 10.116.28.60:2110 | +----------------+-------------------+---------------------------------+ | Source_ip | [init][host]\ | 10.116.28.60:2110 -> | | | [ip] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | SRCPort | [init][host]\ | 10.116.28.60:2110 -> | | | [port] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | Destination_i | [target][host\ | 10.116.28.60:2110 -> | | p | ][ip] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | DSTPort | [target][host\ | 10.116.28.60:2110 -> | | | ][port] | 10.116.24.225:139 | +----------------+-------------------+---------------------------------+ | GID | [sourcefire][g | SNORT[2500]: | | | id] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | SID | [sourcefire][s | SNORT[2500]: | | | id] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+ | revision | [sourcefire][r | SNORT[2500]: | | number | ev] | [1:1418:11] SNMP request | +----------------+-------------------+---------------------------------+

Test Unit List

unit_is_Access_to_a_Potentially_Vulnerable_Web_Application.json unit_is_Attempted_Information_Leak.json unit_is_Web_Application_Attack.json

Log format : DC

example:

SFIMS: [119:4:1] http_inspect: BARE BYTE UNICODE ENCODING [Impact: Potentially Vulnerable] From at Wed Apr 15 13:19:26 2015 UTC [Classification: Not Suspicious Traffic] [Priority: 3] {tcp} 191.1.221.205:58422->10.34.200.224:80

Constructor field LMC field
SensorName [obs][host][name]
SFIMS[program] [obs][process][name]
SFIMS[pid] [obs][process][id]
Signature [sourcefire][signature]
classification [alarm][name]
priority [alarm][sev]
protocol [app][proto][name]
Source_ip [init][host][ip]
SRCPort [init][host][port]
Destination_ip [target][host][ip]
DSTPort [target][host][port]
GID [sourcefire][gid]
SID [sourcefire][sid]
revision number [sourcefire][rev]
impact [sourcefire][impact]

Test Unit List

unit_dc_Not_Suspicious_Traffic.json

Log format : Sourcefire for device 3d8xxx

SFIMS: [Primary Detection Engine (e8a41cd0-5cc4-11e5-b22f-82f97030470a)][Seg20_S_Sieges_IN][1:31978:5]

[Classification: Attempted Administrator Privilege Gain] User: Unknown, Application: Unknown, Client: Firefox, App Protocol: HTTP, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Seg20-S-Sieges-BB-IN, Security Zone Egress: Seg20-S-Sieges-BB-OUT, Context: Unknown, SSL Flow Status: N/A, SSL Actual Action: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, [Priority: 1] {TCP} 10.110.130.50:50250 -> 10.100.8.50:8000

Constructor field LMC field
application [app][name]
user [target][usr][name]
ssl_certificate [sourcefire][ssl_certificate]
interface_ingress [init][host][if]
interface_egress [target][host][if]
security_zone_egress [sourcefire][security_zone_egress]
security_zone_ingress [sourcefire][security_zone_ingress]
context [sourcefire][context]
app_protocol [sourcefire][app_protocol]
client [init][process][name]
type [type]
classification [alarm][name]
priority [alarm][sev]
protocol [app][proto][name]
application [app][name]
src_ip [init][host][ip]
src_port [init][host][port]
dst_ip [target][host][ip]
dst_port [target][host][port]
sid [sourcefire][sid]
gid [sourcefire][gid]
rev [sourcefire][rev]
signature [sourcefire][signature]

Test Unit List

unit_3d8xxx.json