[Snort-sigs] Root kit and "hackers defender" detection

Matt Kettler mkettler at ...1208...
Tue Jan 28 10:22:04 EST 2003


Ugh, why turn Snort into tcpdump like that?

tcpdump -i (whatever interface) -s 1500 -x port (port#) and udp > (logfile)

This gets you a nice clean logfile with packet contents and everything, and 
it's completely separated from the rest of your snort logging. It's also 
much lower overhead since there isn't the rest of the snort ruleset 
involved, and much less likely to miss packets as a result.

A simple tcpdump example to sniff udp type DNS queries on an interface 
named eth0

tcpdump -i eth0 -s 1500 -x port 53 and udp

gets you output like this (note: I did change some bytes to loosely 
obfuscate internal IPs, so that's why the checksums will fail):

13:14:11.679899 veracruz.evitechnology.com.33916 > 
xanadu-int.evi-inc.com.domain:  33884+ PTR? 3.10.168.192.in-addr.arpa. (43) 
(DF)
                          4500 0047 5e6e 4000 4011 df78 0a00 0015
                          c0a8 0a03 847c 0035 0033 acc9 845c 0100
                          0001 0000 0000 0000 0133 0231 3003 3136
                          3803 3139 3207 696e 2d61 6464 7204 6172
                          7061 0000 0c00 01

13:14:11.680934 xanadu-int.evi-inc.com.domain > 
veracruz.evitechnology.com.33916:  33884* 1/1/1 PTR xanadu-int.evi-inc.com. 
(116) (DF)
                          4500 0090 65d5 4000 3f11 d8c8 c0a8 0a03
                          0a00 0015 0035 847c 007c 54f6 845c 8580
                          0001 0001 0001 0001 0133 0231 3003 3136
                          3803 3139 3207 696e 2d61 6464 7204 6172
                          7061 0000 0c00 01c0 0c00 0c00 0100 0151
                          8000 180a 7861 6e61 6475 2d69 6e74 0765
                          7669 2d69 6e63 0363 6f6d 00c0 0e00 0200
                          0100 0151 8000 0906 7861 6e61 6475 c042
                          c05b 0001 0001 0001 5180 0004 c0a8 3202

At 10:47 AM 1/28/2003 -0600, Robert Wagner wrote:
>What I would recommend if you wish to capture the backdoor and create a
>signature.
>Run snort with full logging something like:
>
>/usr/snort/snort -s -D -X -c /etc/snort/snort.conf -o
>
>Create a generic rule to capture all packets going to the backdoor port:
>
>alert udp any any -> any (port#) (msg:"Port Test";tag: session, 300,
>packets;)
>alert tcp any any -> any (port#) (msg:"Port Test";tag: session, 300,
>packets;)
>
>This will allow you to see the entire session.  Post the session (someone
>will recommend a sign for you) or create a rule using some identifying part
>of the session that is unique to the backdoor.
>
>-----Original Message-----
>From: Tony Johansson [mailto:tony.johansson at ...1237...]
>Sent: Tuesday, January 28, 2003 6:47 AM
>To: 'snort-sigs at lists.sourceforge.net'
>Subject: [Snort-sigs] Root kit and "hackers defender" detection
>
>
>Hello,
>
>Regarding a recent discussion on ntbugtraq about the detection and
>characteristics of a root kit which seems to be a modified variant of
>"hackers defender" (http://rootkit.host.sk/), I decided to try and see if
>snort would detect it.
>
>I downloaded the latest version of "hackers defender" and installed it on a
>test machine. It works perfectly, answering on all open tcp ports (scary...)
>
>I then hooked up snort (or more specifically puresecure) and configured it.
>I downloaded all the latest rules and enabled them all. It detects port
>scans and web cmd.exe attacks (http://machine/../../..cmd.exe ) but I am
>still able to connect to the back door over TCP 80 with no alert from snort.
>
>I'm pretty new to snort and havent worked much with sigs. However, I should
>think that this would be something that people would want to detect?
>
>regards, Tony
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list