[Snort-devel] possible bug with 1.9 -- IIS directory traversals not reported

Russell Fulton r.fulton at ...1343...
Sun May 5 17:02:02 EDT 2002


Greetings All,
	      I am not sure if this is a bug in snort or if this , ummm..
phenomenon, is due to changes in the rule sets distributed with 1.8 and
1.9.

In both cases I am running rulesets from the snapshots directory which
were down loaded on Saturday (local time).

The problem is simply that nimda probes are reported rather differently
by the two versions.  When I first saw the alerts from version 1.9 I
thought I has found a new worm....

As you can see from the snortsnarf summaries and the detailed logs below
1.9 is not reporting some of the probes:

snortsnarf summaries:

1.8:
2 different signatures are present for 211.93.93.194 as a source

    * 1 instances of WEB-IIS CodeRed v2 root.exe access
    * 13 instances of WEB-IIS cmd.exe access

1.9:
3 different signatures are present for 211.93.93.194 as a source

    * 1 instances of WEB-IIS CodeRed v2 root.exe access
    * 1 instances of WEB-IIS _mem_bin access
    * 2 instances of WEB-IIS cmd.exe access



Full alerts:
snort 1.8:

rful011 at ...1358...:/home/snort$ snort -V

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch at ...402..., www.snort.org)

[**] [1:1256:4] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:40.027045 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7E
211.93.93.194:2142 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:61312
IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x47D70CB4 Ack: 0x3DB94A24 Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html] [Snort log]
[**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:43.616803 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
211.93.93.194:2252 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:61603
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x4837B621 Ack: 0x3DC8DE25 Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:45.340844 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
211.93.93.194:2340 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:61733
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x487EDC3C Ack: 0x3DD1FCFD Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:47.220238 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x96
211.93.93.194:2398 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:61876
IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x48ADA728 Ack: 0x3DDBA0BE Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:49.041976 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xAB
211.93.93.194:2460 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62019
IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x48E46A77 Ack: 0x3DE3ACD2 Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:50.890615 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xAB
211.93.93.194:2533 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62142
IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x491F7932 Ack: 0x3DF87A28 Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:52.647429 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xC7
211.93.93.194:2594 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62291
IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x4953C20D Ack: 0x3E00F571 Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:54.414751 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x97
211.93.93.194:2661 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62451
IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x498D1C40 Ack: 0x3E0A7D4E Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:56.188673 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x97
211.93.93.194:2726 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62563
IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x49C4381A Ack: 0x3E13777E Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:58.048739 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x97
211.93.93.194:2784 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62705
IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x49F0205C Ack: 0x3E1C06BE Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:59.805225 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x97
211.93.93.194:2862 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62851
IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x4A2DD220 Ack: 0x3E249D30 Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:39:01.614828 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x98
211.93.93.194:2928 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62989
IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x4A611C7C Ack: 0x3E2C6189 Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:39:03.373141 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x96
211.93.93.194:2975 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:63130
IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4A8A151B Ack: 0x3E358E6F Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:39:06.967001 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x96
211.93.93.194:3114 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:63414
IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4AFC22E7 Ack: 0x3E472786 Win: 0x4470 TcpLen: 20 [Snort
log]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

snort 1.9:
rful011 at ...1348...:/home/snort$ snort -V
Initializating Output Plugins!
UnifiedSetup

-*> Snort! <*-
Version 1.9-dev (Build 126)
By Martin Roesch (roesch at ...402..., www.snort.org)

[**] [1:1256:4] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:40.008796 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7E
211.93.93.194:2142 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:61312
IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x47D70CB4 Ack: 0x3DB94A24 Win: 0x4470 TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html] [Snort log]
[**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:43.598539 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
211.93.93.194:2252 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:61603
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x4837B621 Ack: 0x3DC8DE25 Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1002:3] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/05-22:38:45.322576 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
211.93.93.194:2340 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:61733
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x487EDC3C Ack: 0x3DD1FCFD Win: 0x4470 TcpLen: 20 [Snort
log] [**] [1:1286:3] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
05/05-22:38:50.872336 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xAB
211.93.93.194:2533 -> 130.216.3.40:80 TCP TTL:105 TOS:0x0 ID:62142
IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x491F7932 Ack: 0x3DF87A28 Win: 0x4470 TcpLen: 20 [Snort
log]

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-devel mailing list