'[Snort-sigs] SIDs 545-548, 554 , bug in msg parser?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] SIDs 545-548, 554 , bug in msg parser?
From:       Jon Hart <jhart () ccs ! neu ! edu>
Date:       2002-07-15 13:09:59
[Download RAW message or body]

Greetings,

I've been getting hits on some SID with a message of "FTP".  This has been
happening for some time now, but since the traffic that was triggering the
rule seemed harmless, I just deleted the alerts and went on with life.
Today, I got a few more hits and said to myself "What a useless message!
FTP?  Could you be any less vague?"

So, I proceeded to look for this bad rule.  As you probably already know,
it doesn't exist.  I then rechecked the traffic and compared it against
the rules that had "FTP" somewhere in the msg field.  Then it hit me.  I'm
using ACID as my admin frontend, and it looks to be having trouble parsing
the msg field for SIDs mentioned in the subject.  Although its not
impossible to parse the rules, it certainly seems to make it more difficult
and the msg field isn't following the same format as the other ftp rules
(i.e. msg:"FTP RNFR ././ attempt", not msg:"FTP \"RNFR ././\" attempt").

I think it'd be worthwhile to tweak these rules a bit to conform to the
others.  The new rules are below.  I guess the problem is how to properly
represent the spaces in the msg field, which is a key factor for these
rules.  They are trying to catch things like "CWD / /.." and the like but
the msg might get lost or garbled if the parser that reads the msg field is
not doing its job.

Also, looks like there might be a bug somewhere in snort, as it is also
reporting the msg incorrectly.  Example.  I've got the following traffic:

[**] FTP  [**]
06/30/02-07:47:56.350916 0:10:FF:E9:B8:80 -> 8:0:20:9F:29:2C type:0x800 len:0x3F
213.93.221.200:4252 -> 129.10.116.80:21 TCP TTL:105 TOS:0x0 ID:4646 IpLen:20 DgmLen:49 DF
***AP*** Seq: 0xC01C930D  Ack: 0x2F8F226E  Win: 0x4332  TcpLen: 20
CWD / /..^@

That would match sid 545, but the msg is not right.


Thoughts?

-jon



alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP 'CWD / '
possible warez site"; flags:A+; content:"CWD / "; nocase; 
depth: 6; classtype:misc-activity; sid:545;  rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP 'CWD  '
possible warez site"; flags:A+; content:"CWD  "; nocase; depth: 5;
classtype:misc-activity; sid:546;  rev:5;)

ftp.rulesalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP 'MKD  ' 
possible warez site"; flags:A+; content:"MKD  "; nocase; depth: 5;
classtype:misc-activity; sid:547;  rev:5;)

ftp.rulesalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP 'MKD . ' 
possible warez site"; flags:A+; content:"MKD ."; nocase; depth: 5;
classtype:misc-activity; sid:548;  rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP 'MKD / ' 
possible warez site"; flags:A+; content:"MKD / "; nocase; depth: 6;
classtype:misc-activity; sid:554;  rev:6;)


(snort -T -c /share/snort/etc/snort.conf is below)

Log directory = /var/log/snort

Initializing Network Interface xl0

        --== Initializing Snort ==--
Decoding Ethernet on interface xl0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /share/snort/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
[*] Frag2 config:
    Fragment timeout: 60 seconds
    Fragment memory cap: 12582912 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 0
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snortlogs
database:          host = localhost
database:   sensor name = 10.0.0.1
database:     sensor id = 1
database: schema version = 105
database: using the "alert" facility
1182 Snort rules read...
1182 Option Chains linked into 133 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.7beta5 (Build 128)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic