[Snort-devel] Header mixup Bug in Snort 2.0?

Erik Norman erik.norman at ...2028...
Thu Jun 12 10:41:15 EDT 2003


Hi all,

I've run across some faulty reporting, where a certain packet correctly
generates an alarm, but where the header information (IP, ports etc) are
from another packet! It's a Bad Thing. Since i'm also have a complete
tcpdump log of everything, i feel rather sure what i'm talking about.

I'm administrating the IDS for a customer, so I have the need to strictly
anonymize the data, but will try to help however I can.

All details can be found below.

Now what? (Personal-brain-dump: old Libpcap version, strange home-net
definition...)



BTW, Snort rocks :-)

/Erik Norman



Setup:
------
Snort 2.0 on NetBSD 1.6.1
Tcpdump 3.7.1
Libpcap 0.4

Rule in question:
-----------------
alert ip $HOME_NET any -> $EXTERNAL_NET !80 (msg:"Backdoor indication, id
check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:backdoor-indication;
sid:1882; rev:4;)

Note that it's a rule from snort-current, but with altered classification.


Notation:
---------
IP A1 and A2 are internal Addresses ($HOME_NET) and IP B and C are two,
different, external addresses. Both B and C appear in normal communication
from the company in question.


Reported alarm, from the file /var/log/snort/B.B.B.11/TCP\:3152-25:
-------------------------------------------------------------------
[**] Backdoor indication, id check returned userid [**]
06/11-10:23:42.329705 A1.A1.A1.204:3152 -> B.B.B.11:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:658
***AP*** Seq: 0x3959F78C  Ack: 0xED87141A  Win: 0xFAF0  TcpLen: 20
47 45 54 20 2F 63 6F 6D 6D 75 6E 69 74 79 2F 73  GET /community/s
70 65 6C 2F 69 6D 61 67 65 73 2F 72 61 6E 6B 5F  pel/images/rank_
31 2E 67 69 66 20 48 54 54 50 2F 31 2E 31 0D 0A  1.gif HTTP/1.1..
41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66  Accept: */*..Ref
65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 74 76 34  erer: http://tv4
2E 73 65 2F 63 6F 6D 6D 75 6E 69 74 79 2F 73 70  .se/community/sp
65 6C 2F 75 73 65 72 69 6E 66 6F 2E 61 73 70 78  el/userinfo.aspx
3F 75 69 64 3D 7B 32 46 33 36 32 41 35 36 2D 35  ?uid={2F362A56-5
---snip---


And this is from tcpdump:
-------------------------

10:23:42.304287 A2.A2.A2.1919 > C.C.C.132.www: . 1:1461(1460) ack 1 win 8760
(DF)
0x0000   4500 05dc ea1c 4000 7f06 0372 7e01 05f9        E..... at ...2029...~...
0x0010   930e f184 077f 0050 006f a0e3 d2cd 744f        .......P.o....tO
0x0020   5010 2238 c34f 0000 4745 5420 2f63 6f6d        P."8.O..GET./com
0x0030   6d75 6e69 7479 2f73 7065 6c2f 696d 6167        munity/spel/imag
0x0040   6573 2f72 616e 6b5f 312e 6769 6620 4854        es/rank_1.gif.HT
0x0050   5450 2f31 2e31 0d0a 4163 6365 7074 3a20        TP/1.1..Accept:.
0x0060   2a2f 2a0d 0a52 6566 6572 6572 3a20 6874        */*..Referer:.ht
0x0070   7470 3a2f 2f74 7634 2e73 652f 636f 6d6d        tp://tv4.se/comm
0x0080   756e 6974 792f 7370 656c 2f75 7365 7269        unity/spel/useri
0x0090   6e66 6f2e 6173 7078 3f75 6964 3d7b 3246        nfo.aspx?uid={2F
--snip --



Snort.conf
----------
var HOME_NET X.X.0.0/21 X.X.8.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH .
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: [ --usual hosts snipped----]
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
output alert_syslog: LOG_LOCAL4
include classification.config
include reference.config
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/local.rules





More information about the Snort-devel mailing list