[Snort-sigs] RealSecure sigs update 1

counter.spy at ...52... counter.spy at ...52...
Thu Jun 20 09:17:06 EDT 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert tcp $HOME_NET 902 -> $EXTERNAL_NET any 
(msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; 
flags:A+; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; 
nocase; offset:30; depth:70; classtype:successful-recon-limited; sid:1760;
rev:2;)

#question: why did you change the dest from any any to $EXTERNAL_NET any?
The console
#could very likely reside on the HOME_NET as well.

--
Sid:1760

--
Summary: OTHER-IDS ISS RealSecure 6 event collector connection attempt

--
Impact: RealSecure components can be identified.

--
Detailed Information: This signature indicates that a RealSecure 6.5 server
sensor
offers available cryptographic providers to the console or event collector
after the console or event collector finished the initial TCP three-way
handshake.
The cryptographic handshake is done via the iSCSI protocol in clear-text.

--
Attack Scenarios: An internal hacker could use this knowledge in order to
map all the
machines that are running RealSecure. An IDS admin could as well use this
signature for
checking if anyone else has installed an IDS without your knowledge.

--
Ease of Attack: You need to sniff on your network for a while.

--
False Positives: not known

--
False Negatives: RealSecure can be configured to listen on other than the 
default ports.

--
Corrective Action: The cryptographic handshake cannot be disabled.
ISS does not consider this to be an important issue.
It is strongly recommended to configure the sensors to listen on non-default
ports.

--
Contributors: Detmar Liesen aka counter.spy at ...52...

-- 
Additional References:

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-sigs mailing list