[Snort-sigs] Local CodeRed infection

bthaler at ...572... bthaler at ...572...
Wed Jan 22 08:26:09 EST 2003


Thanks!  That makes perfect sense, and was exactly what I was looking for.
If you're subscribed to snort-users, you'll see that in my latest post I
suspect the same thing.  Looks like you've strengthened my suspicions.

Here's my details:
Snort = Version 1.9.0 (Build 209)
OpenBSD snort 3.2 GENERIC#25 i386

This is all running in a split sensor/database environment.  The sensor
machine has two nics.  One to sample traffic, and the other connects
directly to the MySQL box.







Sincerely,

Brad Thaler

----- Original Message -----
From: "Bamm Visscher" <rvissche at ...1206...>
To: <snort-sigs at lists.sourceforge.net>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Wednesday, January 22, 2003 11:09 AM
Subject: Re: [Snort-sigs] Local CodeRed infection


> Can you give the build number you are using? Looks like you have found a
> good example of a known bug in the stream4 preprocessor where packets
> from one stream mistakenly get injected into another stream. I see this
> all the time too. In short, this rule never should of triggered as an
> incoming cmd.exe (probably Nimda) got intermixed with legitimate
> outgoing HTTP connection. Maybe Chris Green can give a more detailed
> explanation of what is happening as I know he is working on a solution.
>
> Bammkkkk
>
> On Tue, 2003-01-21 at 10:10, bthaler at ...572... wrote:
> > Please forgive me in advance if this is the wrong list.
> >
> > I created these simple rules some time ago to check for any of my
servers
> > being infected with CodeRed.
> >
> > alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION
***";
> > content:"/cmd.exe"; nocase;)
> > alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION
***";
> > content:"/root.exe"; nocase;)
> >
> > Since all of my servers are patched, these only triggered on false
alarms,
> > as would be expected.  This was all working fine with Snort-1.8x, but
> > yesterday I upgraded to Snort-1.9 and these rules have started firing
for
> no
> > aparrent reason.
> >
> > For example, the first rule above just fired a few minutes ago on this
> > packet:
> >
> > Source IP = x.x.x.80
> > Source Port = 1830
> > Dest IP = 63.175.146.25
> > Dest Port = 80
> > <!---- begin packet ---->
> > HEAD
> >
>
/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/sys
> > tem32/cmd.exe?/c+dir+c:\ HTTP/1.0
> > Host: x.x.x.23 (this is another host on my network)
> >
> > -->
> > <br>
> > <!--webbot bot="HTMLMarkup" startspan --><HumanClick> <script
> > language='javascript' src='http://hc2.humanclick.com/hc/xGET
> >
>
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> > 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> > User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> > Host: wisapidata.weatherbug.com
> > Connection: Keep-Alive
> >
> > GET
> >
>
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> > 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> > User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> > Host: wisapidata.weatherbug.com
> > Connection: Keep-Alive
> > <!---- end packet ---->
> >
> > If you look at the packet above, it will obviously trigger the first
rule
> > above due to the cmd.exe in the payload.  The strange part is that this
> > particular machine is most definitely NOT infected.  Like I said above,
> > these rules have been in place for quite some time and never fired under
> > Snort-1.8, but now thay're firing for several machines all of a sudden.
> >
> > So I guess my question is:  Why would this machine be sending a packet
> like
> > this if it wasn't infected, and why would the rules only fire now, after
I
> > upgraded?
> >
> > Thanks in advance for the help.
> >
> >
> >
> >
> >
> >
> > Sincerely,
> >
> > Brad T.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Scholarships for Techies!
> > Can't afford IT training? All 2003 ictp students receive scholarships.
> > Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> > www.ictp.com/training/sourceforge.asp
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> --
> Bamm (Robert) Visscher
> Network Security Engineer
> Ball Corp.
> http://www.ball.com
> rvissche at ...1206...
> 210.240.5950
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list