[Snort-devel] Re: classification

Phil Wood cpw at ...86...
Thu May 31 20:19:28 EDT 2001


Regarding: Version 1.8-beta5 (Build 24) (cvs)

Bare with me.  I found some rules:

  policy.rules:alert tcp $INTERNAL any -> $EXTERNAL 6666:6669 (msg: "INFO Possible IRC Access"; flags: A+; content: "NICK "; classtype: not-suspicious; classtype: unknown;) 
  policy.rules:alert tcp $EXTERNAL any -> $INTERNAL 21 (msg: "INFO FTP anonymous FTP"; content: "anonymous"; nocase; flags:A+; classtype: not-suspicious; classtype: not-suspicious;;) 
  rpc.rules:alert udp $EXTERNAL any -> $INTERNAL 111 (msg: "RPC snmpXdmi query";  rpc:100249,*,*; reference: bugtraq,2417; classtype: attempted-admin;classtype: attempted-recon;)

that look weird.  The reason I went looking for them was some anomolous
behavior which caused gobblydegook to be genereated when printing an
alert out.  In particular:

alert ip any any -> any any (msg: "SHELLCODE x86 setgid 0"; content: "|b0b5 cd80|"; reference: arachnids,284; classtype: attempted-admin;)

coupled with:

alert udp $EXTERNAL any -> $INTERNAL 111 (msg: "RPC snmpXdmi query";  rpc:100249,*,*; reference: bugtraq,2417; classtype: attempted-admin;classtype: attempted-recon;)

caused the anomoly.  Here is the bare minimum conf file which will create a
garbaged "Classification" in the alert:

===============================================================================
  config classification: attempted-recon,Attempted Information Leak,3
  config classification: attempted-admin,Attempted Administrator Privilege Gain,10
  #
  alert udp any any -> any 111 (msg: "RPC snmpXdmi query";  rpc:100249,*,*; reference: bugtraq,2417; classtype: attempted-admin;classtype: attempted-recon;)
  alert ip any any -> any any (msg: "SHELLCODE x86 setgid 0"; content: "|b0b5 cd80|"; reference: arachnids,284; classtype: attempted-admin;)
===============================================================================

Here is a good alert:
05/31-13:38:14.220340  [**] SHELLCODE x86 setgid 0 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 18.29.1.70:30665 -> 128.165.54.174:32824

Here is the bad one:
05/31-13:38:14.220340  [**] SHELLCODE x86 setgid 0 [**] [Classification: Ð
                                                                         à
                                                                         ð
                                                                         ] [Priority: 10] 18.29.1.70:30665 -> 128.165.54.174:32824


Here is an 'od' of the bad one:

0011240   0   5   /   3   1   -   1   3   :   3   8   :   1   4   .   2
        3530 332f 2d31 3331 333a 3a38 3431 322e
0011260   2   0   3   4   0           [   *   *   ]       S   H   E   L
        3032 3433 2030 5b20 2a2a 205d 4853 4c45
0011300   L   C   O   D   E       x   8   6       s   e   t   g   i   d
        434c 444f 2045 3878 2036 6573 6774 6469
0011320       0       [   *   *   ]       [   C   l   a   s   s   i   f
        3020 5b20 2a2a 205d 435b 616c 7373 6669
0011340   i   c   a   t   i   o   n   :       Ð 217  \v  \b   à 217  \v
        6369 7461 6f69 3a6e d020 0b8f e008 0b8f
0011360  \b   ð 217  \v  \b   ]       [   P   r   i   o   r   i   t   y
        f008 0b8f 5d08 5b20 7250 6f69 6972 7974
0011400   :       1   0   ]       1   8   .   2   9   .   1   .   7   0
        203a 3031 205d 3831 322e 2e39 2e31 3037
0011420   :   3   0   6   6   5       -   >       1   2   8   .   1   6
        333a 3630 3536 2d20 203e 3231 2e38 3631
0011440   5   .   5   4   .   1   7   4   :   3   2   8   2   4  \n  \0
        2e35 3435 312e 3437 333a 3832 3432 000a


To trigger the alert you need the attached pcap file.  But, it might not work being
based on the Alexey K. libpcap.

-- 
Phil Wood, cpw at ...86...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bad.trb4
Type: application/trb4
Size: 1562 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20010531/0e177690/attachment.bin>


More information about the Snort-devel mailing list