[Snort-sigs] Snort missing SPARC Solaris snmpXdmi attempts

Chris Green cmg at ...26...
Mon Dec 10 08:20:02 EST 2001


<andrew.s.pendray at ...229...> writes:

> I'm running SNORT 1.8.3 release on RedHat 7.1, pretty much stock
> configuration of SNORT.  I used the exploit found at
> http://lsd-pl.net/code/SOLARIS/solsparc_snmpxdmid.c to overflow the
> snmpXdmi daemon on my SPARC Solaris 8 box.  I verified with TCPDUMP that
> the SNORT interface did "see" the entire exploit happen.  However, SNORT
> did not raise any alarm.  Since there are three signatures for this
> specific attack, I'm surprised by that.  Any idea what's going on?

12/10-09:56:15.187447  [**] [1:583:2] RPC portmap request rstatd [**]
[Classification: Decode of an RPC Query] [Priority: 2] {UDP}
testA:32878 -> testB:111

Shows up -- I think the RPC statd rules are way to generic.  The |01
86 A1 00 00| is matching the portmap query and since the 2 queries are
stacked into one packet, the more specific rules are not triggered.

sid:583 and sid:1270 should atleast be moved to the end of the file
and renamed have "statd" removed from their name although thats
exactly was sid 1280,1281,599,598 do with a more specific content of
|00 01 86 A0 00 00 00 02 00 00 00 04|

Packet for RPC Request for Program 10000 ( portmap ) and Program
(100249 ) SNMPDX

0000  00 c0 4f 09 0a 5b 00 10  a4 97 45 50 08 00 45 00  
0010  00 54 00 00 40 00 40 11  06 af de ad be ef be ef  
0020  ee ee 80 6e 00 6f 00 40  64 29 69 bf 6e 73 00 00  
0030  00 00 00 00 00 02 00 01  86 a0 00 00 00 02 00 00  
0040  00 03 00 00 00 00 00 00  00 00 00 00 00 00 00 00  
0050  00 00 00 01 87 99 00 00  00 01 00 00 00 06 00 00  
0060  00 00                                             

If you'll mail me a copy of traffic capture ( with tcpdump -i eth0 -w
snmpdx-sploit.cap -s 1500 host solarishost ), I'll try and investigate
further. I don't have time this morning to rpcgen a fake program to
get the exploit attempt working
-- 
Chris Green <cmg at ...26...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-sigs mailing list