[Snort-sigs] 10 documented Signatures

Babbin, Jacob Mr NSS-P Jacob.Babbin at ...892...
Tue Jul 8 13:27:10 EDT 2003


Below are 10 that I have done sofar I'll have 10 more done soon. Let me know
if I can do anything else to help out. 

Jake Babbin 
----------------------------------------------------------------------------
------------
Jake Babbin,GCIH
Sr. Intrusion Detection Analyst, ITA
Contractor, Telos Corp.
(p) 703-692-0267 
----------------------------------------------------------------------------
-----------



# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica
Marlin"; dsize:0; reference:bugtraq,1009;  reference:cve,CVE-2000-0221;
classtype:attempted-dos; sid:279; rev:2;) 
--
Sid: 
 279 
--
Summary: 
This is a simply crafted attack that sends a packet of 0 size to the SNMP
port 161/udp will cause the router to crash  and have to be rebooted.
Halting all traffic. 
--
Impact:
 Loss of network traffic 
--
Detailed information:
 This is a single packet attack that affected older versions of the Nortel
SOHO Marlin router. This would cause the  router to crash due to a runtime
error in the router software. 
--
Affected Systems:
 Nortel Marlin Series Routers. 
--
Attack Scenarios: 
 nmap -sU -p 161 victim 
--
Ease of Attack: 
Trivial
-- 
False Positives: 
This can sometimes be cause by VPN traffic from Cisco Pixs 
--
False Negatives: 
Unknown 
--
Corrective Action: 
This product line was discontinued in Sept 2000
--
Contributors: 
Jake Babbin, Bugtraq id 1009
--
References: 
Bugtraq 1009,CVE 2000-0221


Rule:
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client
command LE"; itype: 0; icmp_id: 51201;  icmp_seq: 0;
reference:arachnids,183; classtype:attempted-dos; sid:251; rev:1;)
--
SID: 
251 
--
Summary: 
An attempt by a Tribal Flood Network (TFN) client to possibly send
instructions to a victim machine. (Arachnids 183)  This is over the ICMP
protocol and within a seemingly harmless Echo Reply packet. This rule is
worth investigating  other traffic to/from the host. 
--
Detailed Information: 
This can be reason to raise alerts for this victim machine. 
--
Affected Systems: 
Windows 9x,NT, and 2000
--
Attack Scenarios:
 This can be a victim in a botnet that can be used for large scale DDoS
attacks. 
--
False Positives:
 Network Monitoring software such as HP Openview polling has been known to
cause false positives.
--
False Negatives:
 In not monitoring payload in ICMP traffic this can get by some systems
--
Corrective Action:
Turn off the rule for your Unix systems, monitor more closely your windows
systems and if you think it's suspicious  enough then find more information
about TFN. 
--
Contributors:
 Jake Babbin 
--
References: 
ArachNids 183 


Rule:
 alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack";
id:242; fragbits:M;  reference:cve,CAN-1999-0015;
reference:url,www.cert.org/advisories/CA-1997-28.html;
reference:bugtraq,124;classtype:attempted-dos; sid:270; rev:2;)
--
Sid: 
270 
-- Summary: 
This attack is used to exploit the math in several vendors TCP/IP stacks.
It can be sent using 2 or more packets with  specially fragmented payloads
to a victim IP. This causes the network stack to fail and the machine to be
rebooted or  restart network services. 
--
Detailed Information:
 This attack can be delivered by sending 2 or more specially fragmented IP
datagrams. The first is the 0 offset  fragment with a payload of size N,
with the MF bit on (data content is irrelevant). The second is the last
fragment  (MF == 0) with a positive offset < N and with a payload of < N.
(securityfocus.com/bugtraqid 124) 
--
Affected Systems:
 HP-UX 9 and 10, Windows 95,NT 3.51,NT 4 
--
Attack Scenarios:
 Launched from almost and *nix platform after compiled
--
False Positives:
 None
--
False Negatives: 
none
--
Corrective Actions: 
Get Windows NT 4SP3 Hotfix "icmp-fix" ,W2k hotfix "teardrop-fix", See HP
site for proper ARPA patch 
--
Contributors: 
Jake Babbin 
--
References: 
bugtraq 124, cve 1999-0015


Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan";
flow:to_server,established; content:"pass -iss at ...1576...";
reference:arachnids,331; classtype:suspicious-login; sid:354; rev:4;)
--
SID: 
354 
-- 
Summary: 
This is an alarm that if triggered means that an ISS Vulnerability Scanner
is in use. 
--
Detailed Information:
This looks for a packet with a payload of "pass iss at ...1576..." over the FTP port
21/tcp. 
--
Affected Systems:
 All 
--
Attack Scenario:
 Attacker/VA team scanning/probing your network 
--
Ease of Attack:
 Scripted attack easy
--
False Positives:
 none 
--
False Negatives:
none
--
Corrective Action:
 Contact your VA teams 
--
Contributors:
 Jake Babbin 
--
References:
 arachnids,331 


Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan";
flow:to_server,established; content:"pass -saint";  reference:arachnids,330;
classtype:suspicious-login; sid:358; rev:4;) 
--
SID:
 358 
--
Summary:
 This is an alarm that if triggered means that a vulnerability Scan is being
conducted with the tool SAINT. 
--
Impact:
 none if it's authorized or cause for investigation if the scan isn't
authorized 
--
Detailed information:
 This looks for a packet with a payload of "pass - saint" over the FTP port
21/tcp. 
--
Affected Systems:
 All 
--
Attack Scenario:
 Attacker/VA team scanning/probing your network 
--
Ease of Attack:
 Scripted attack - easy 
--
False Positives:
 none 
--
False Negatives:
 none 
--
Corrective Action:
 Contact your VA teams
--
Contributors:
 Jake Babbin 
--
References: 
arachnids,330 



Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan";
flow:to_server,established; content:"pass -satan";  reference:arachnids,329;
classtype:suspicious-login; sid:359; rev:4;) 
--
SID:
 359 
--
Summary:
 This is an alarm that if triggered means that a vulnerability Scan is being
conducted with the tool SAINT. 
--
Impact:
 none if it's authorized or cause for investigation if the scan isn't
authorized 
--
Detailed information:
 This looks for a packet with a payload of "pass - satan" over the FTP port
21/tcp. 
--
Affected Systems:
 All 
--
Attack Scenario:
 Attacker/VA team scanning/probing your network 
--
Ease of Attack:
 Scripted attack - easy 
--
False Positives:
 none 
--
False Negatives:
 none 
--
Corrective Action:
 Contact your VA teams
--
Contributors:
 Jake Babbin 
--
References:
 arachnids,329  



Rule:
 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec";
flow:to_server,established; content:"SITE ";  nocase; content:"EXEC ";
distance:0; nocase; reference:bugtraq,2241; reference:arachnids,317;
classtype:bad-unknown;  sid:361; rev:7;) 
--
SID:
 361 
--
Summary:
 Some versions of U of Washington wu-ftpd allow an attacker to gain root
through an FTP command of SITE EXEC to enter  commands a root. 
--
Impact:
 full root system compromise 
--
Detailed Attack:
 "site exec bash -c id" (securityfocus.com/bid/2241/exploit/) if you get a
response of uid=0 login your vulnerable. 
--
Affected Systems:
 wu-ftpd 2.4.1 running on any *nix system 
--
Attack Scenario:
 Can be launched from a valid FTP user account to escalate privileges 
--
Ease of Attack:
 scripted attack - easy 
--
False Positives:
 some versions of windows ftp client ws-ftp and cuteftp are know to trigger
this rule 
--
False Negatives:
 none 
--
Corrective action:
 upgrade to 2.4.2 or better 
--
Contributors: 
bugtraq 2241, arachnids 317, Jake Babbin 
--
References:
 bugtraq 2241, arachnids 317 


Rules:
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
content:  "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
reference:arachnids,311; classtype:attempted-recon;  sid:466; rev:1;) 
--
Sid:
 466 
--
Summary:
 This is a packet which if seen means someone is using the L3retiever
software to map your network through ping  packets. 
--
Impact:
 Recon information and network mapping 
--
Detailed Information:
 Specifically marked ping packets used to map a network by seeing who
responds to ICMP pings. 
--
Affected Systems:
 All that answer for PING 
--
Attack Scenario:
 scripted information gathering such as VA teams 
--
Ease of Attack:
 scripted attack - easy 
--
False Positives:
 none 
--
False negatives:
 none 
--
Corrective Action:
 investigate source of probes 
--
Contributors:
 Jake Babbin 
--
References:
 arachnids 311 



Rule:
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold
Windows"; content:"|5768 6174 7355 7020  2d20 4120 4e65
7477|";itype:8;depth:32; reference:arachnids,168; sid:482;
classtype:misc-activity; rev:2;) 
--
Sid:
 482 
--
Summary:
 This is a packet which if seen means that someone is using the Windows
Mapping and Monitoring tool What's Up Gold to  monitor or probe the network.

--
Impact:
 Recon information and network mapping 
--
Detailed Information:
 Specifically marked Ping packets which is used to map a network again by
seeing who responds to ICMP ping packets. 
--
Affected Systems:
 All who answer for PING 
--
Attack Scenario:
 automated scripted network recon such as Net Ops or VA teams 
--
Ease of Attack:
 scripted attack - easy 
--
False Positives:
 none 
--
False Negatives:
 none 
--
Corrective Action:
 investigate source of probes 
--
Contributors:
 Jake Babbin 
--
References:
 arachnids 168 


Rule:
 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2
Windows";  content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
reference:arachnids,154; sid:483;  classtype:misc-activity; rev:2;) 
--
Sid:
 483  
--
Summary:
 This is an ICMP packet which if seen means that someone is using the
windows tool CyberKit to probe the network. 
--
Impact:
 Recon information and network mapping 
--
Detailed Information:
Specifically marked ping packets used to map a network through ICMP Pings 
--
Affected Systems:
 All who answer for PING 
--
Attack Scenarios:
 Automated network recon such as Net Ops or VA teams 
--
Ease of Attack:
 Scripted attack - easy 
--
False Positives:
 some HP openview polling has been know to trigger this rule 
--
False Negatives:
 none 
--
Corrective Action:
 investigate source of probes 
--
Contributors:
 Jake Babbin 
--
References:
 arachnids 154 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030708/3e19ad98/attachment.html>


More information about the Snort-sigs mailing list