[Snort-sigs] 10 more snort signatures documented.

Babbin, Jacob Mr NSS-P Jacob.Babbin at ...892...
Thu Jul 3 16:33:05 EDT 2003


These are 10 more that I have done I'll try to get more done Sunday. Again
let me know if you need any more help. 

Jake Babbin 


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login";
content: "Login failed";  nocase; flow:from_server,established;
classtype:bad-unknown; sid:492; rev:6;) 
--
Sid: 
 492 
--
Summary: 
Information - This means that an account failed to login over telnet 
--
Impact:
 If this alarm coming in repeatedly for a single account this could be an
indication of a  bruteforce attack 
--
Detailed information:
 This is a packet with content of Login Failed which is a response from the
server that the initial  login failed. 
--
Affected Systems:
 none - informational
--
Attack Scenarios: 
a user forgets their password or can't type it correctly or a brute force
attack 
--
Ease of Attack: 
very easy
-- 
False Positives: 
none
--
False Negatives: 
none 
--
Corrective Action: 
none
--
Contributors: 
Jake Babbin 
--
References: 
none 


Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No Password";
content: "PASS"; nocase;  offset:0; depth:4; content:"|0a|"; within:3;
reference:arachnids,322; flow:from_client,established;  classtype:unknown;
sid:489; rev:5;) 
--
SID: 
489
--
Summary: 
This is a poor security notice. This means that a user can log in to an FTP
server without a  password. 
--
Detailed Information: 
This looks for no value after a password prompt for an FTP session 
--
Affected Systems: 
all 
--
Attack Scenarios:
an FTP server was setup with a user account with no password. 
--
False Positives:
none
--
False Negatives:
none
--
Corrective Action:
 add a password to the user account 
--
Contributors:
 Jake Babbin 
--
References: 
 arachnids 322


Rule:
alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to
<1024"; flags:S,12;  reference:arachnids,06; classtype:bad-unknown; sid:503;
rev:3;) 
--
Sid: 
503
-- Summary: 
This is triggered due to a packet with a low source port going to another
low destination port.  This is an indication of possibly spoofed traffic or
other bad traffic. 
--
Detailed Information:
This is a packet which is triggered because it's source from 20/tcp that is
used for FTP data  connections going to a port less than 1024.  
--
Affected Systems:
all
--
Attack Scenarios:
Spoofed traffic looking for FTP server to bounce from possibly or other
malicious intent
--
False Positives:
reply from legitimate FTP connections
--
False Negatives: 
none
--
Corrective Actions: 
check to maintain state across firewalls/routers  
--
Contributors: 
Jake Babbin 
--
References: 
arachnids 06 


Rule:
alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
<1024"; flags:S,12;  reference:arachnids,07; classtype:bad-unknown; sid:504;
rev:3;) 
--
SID: 
504
-- 
Summary: 
 This is a packet sourced from 53/tcp (DNS zone transfers) to another low
port (less than 1024).  This can be an indication of a DNS zone transfer or
other information gathering techniques.
--
Detailed Information:
Packet could be an attempted DNS zone transfer from a hostile site.  
--
Affected Systems:
All 
--
Attack Scenario:
nslookup, dig, or other tools that could be used to get a DNS zone transfer
from a victim site. 
--
Ease of Attack:
nslookup or dig command "ls victim.com" should pull all DNS records back
--
False Positives:
new to MS Exchange 2000 all DNS request go over 53/tcp 
--
False Negatives:
none
--
Corrective Action:
verify the payload is not malicious
--
Contributors:
 Jake Babbin 
--
References:
arachnids 07 


Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU
Password"; content:  "|05 00 3E|"; flow:to_server,established; depth:16;
reference:arachnids,229; classtype:bad-unknown;  sid:505; rev:3;) 
--
SID:
505
--
Summary:
 This is a poor security practice over the open internet and on untrusted
network links. This is a  Timbuktu login going over plaintext to the
Timbuktu server.  
--
Impact:
 That means that anyone sniffing the wire can now use the login and password
used to gain access to  the Timbuktu server.
--
Detailed information:
 Looks at the initial hex code of a Timbuktu client login and captures the
login and password  combination. 
--
Affected Systems:
Windows all  versions and Mac 7.5.3 and later
--
Attack Scenario:
user logs into office Timbuktu server over hacked network login captured.
--
Ease of Attack:
as simple as sniffing the wire
--
False Positives:
none
--
False Negatives:
if Timbuktu over a different port than 1417 
--
Corrective Action:
only use Timbuktu over encrypted links or only on local LANs
--
Contributors:
 Jake Babbin 
--
References: 
arachnids 229 



Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere
Attempted Administrator  Login"; flow:to_server,established;
content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507;  rev:3;) 
--
SID:
507
--
Summary:
 This is possibly a reason for concern due to the high level of access being
attempted. This can  also be a poor security practice to use plaintext login
to remote machines. 
--
Impact:
 Possible remote compromise with captured credentials or a poor security
practice to gain admin  rights on remote machine
--
Detailed information:
This looks for a packet bound for the default PCAnywhere port 5631 with
username Administrator in  the payload. 
--
Affected Systems:
Windows all versions
--
Attack Scenario:
remote admin connects with PCAnywhere client over hacked links. 
--
Ease of Attack:
easy to sniff traffic 
--
False Positives:
possibly hit with web traffic responses on high traffic links
--
False Negatives:
case sensitive username, running on different port
--
Corrective Action:
upgrade to newer versions of PCAnywhere or connect over encrypted links
--
Contributors:
 Jake Babbin 
--
References:




Rule:
 alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere
Login";  flow:from_server,established; content:"Invalid login"; offset:5;
depth:13;  classtype:unsuccessful-user; sid:511; rev:4;) 
--
SID:
511
--
Summary:
 This is a notification of a failed PC anywhere login. 
--
Impact:
This has no impact other than notification of a failed account login. This
can be an indication of  a brute force attack if this alarm coming in more
than once or twice 
--
Detailed Attack:
This is just a notification of the failure to login with "Invalid login" in
the content of the  packet
--
Affected Systems:
Windows all versions
--
Attack Scenario:
 a user either forgets/misspells login information or a possible brute force
attack is occurring. 
--
Ease of Attack:
simple as mistyping login credentials
--
False Positives:
none
--
False Negatives:
case sensitive content or PCAnywhere on another port
--
Corrective action:
user remembers login credentials
--
Contributors: 
Jake Babbin 
--
References:



Rules:
 alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere
Failed Login";  flow:from_server,established; content:"Invalid login";
depth: 16; reference:arachnids,240;  classtype:unsuccessful-user; sid:512;
rev:3;) 
--
Sid:
512
--
Summary:
 This is a notification of a failed login to a PCAnywhere server.
--
Impact:
non-attack other than brute-force attack if the rule fires more than once in
a time period
--
Detailed Information:
This is a content inspection of the packet that triggers on content of
"Invalid Login" though it  differs from sid:511 in that it look farther down
in the packet payload for this content. 
--
Affected Systems:
Windows All versions
--
Attack Scenario:
none user types incorrect login 
--
Ease of Attack:
easy 
--
False Positives:
none
--
False negatives:
none other than if run on other ports
--
Corrective Action:
user remembers login information
--
Contributors:
 Jake Babbin 
--
References:
arachnids 240 



Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
ADMIN$access";  flow:to_server,established; content:"\\ADMIN$|00 41 3a 00|";
reference:arachnids,340;  classtype:attempted-admin; sid:532; rev:4;) 
--
Sid:
532
--
Summary:
 This is a poor security practice or an indication that a machine is being
accesses remotely. 
--
Impact:
Possible admin access on the victim machine. 
--
Detailed Information:
 This looks for the hidden Netbios share Admin$ which is the Winnt
directory. 
--
Affected Systems:
Windows 9x, 2000,XP
--
Attack Scenario:
can be accessed from GUI "map network drive" remotely 
--
Ease of Attack:
trivial
--
False Positives:
none
--
False Negatives:
none
--
Corrective Action:
disable the netbios at the firewall of corporate gateways or for home users
block with personal  firewalls
--
Contributors:
 Jake Babbin 
--
References:
arachnids 340 


Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ access";
flow:to_server,established; content: "|5c|C$|00 41 3a
00|";reference:arachnids,339;  classtype:attempted-recon; sid:533; rev:5;) 
--
Sid:
533
--
Summary:
 This is a poor security practice or an indication that a machine is being
accesses remotely.
--
Impact:
Possible root C: drive access on the victim machine.
--
Detailed Information:
 This looks for the hidden Netbios share C$ which is the root C: drive
folder.
--
Affected Systems:
window 9x, 2000, XP 
--
Attack Scenarios:
can be accessed from GUI "map network drive" remotely
--
Ease of Attack:
trivial 
--
False Positives:
none
--
False Negatives:
none 
--
Corrective Action:
disable the netbios at the firewall of corporate gateways or for home users
block with personal  firewalls
--
Contributors:
 Jake Babbin 
--
References:
arachnids 339




----------------------------------------------------------------------------
------------
Jake Babbin,GCIH
Sr. Intrusion Detection Analyst, ITA
Contractor, Telos Corp.
(p) 703-692-0267 
----------------------------------------------------------------------------
-----------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030703/883ba164/attachment.html>


More information about the Snort-sigs mailing list