[Snort-sigs] disable /var/log/snort logging

Bill McCarty bmccarty at ...483...
Thu May 8 21:59:06 EDT 2003

Hey all,

I've been seeing the Snort exploit that was recently published on 
Packetstorm being used against port TCP/139 of one of my hosts, which is 
not a Snort sensor <g>. The default Snort ruleset flags the NOPs in the 
exploit. But, it's nice to know whether one's seeing a NetBIOS/SMB attack 
or a Snort attack.

The following rule successfully detects the Packetstorm attack:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Snort p7191.sh attack 
content:"|31c0 31db 31c9 51b1 0651 b101 51b1 0251|"; offset:0; )

It's a lousy rule, because it detects the exploit shellcode rather than the 
underlying vulnerability. And, the offset value could likely be increased 
to improve efficiency, since the shellcode is preceded by a fairly large 
NOP sled. But, I'm a busy guy <g>; so it's the best I can do just now.

FYI, I've also seen some very large (>64k) UDP packets in my Snort capture 
files. The tcpdump program chokes when it hits one. But, I've learned that 
I can use tcpslice to exclude a few milliseconds of data from a packet 
capture file and see what went on near the time of the large packets.

I don't know whether this symptom is related to either of the recently 
published Snort vulnerabilities, some other Snort vulnerability, or yet 
another cause. Since I'm no longer seeing this traffic, it's hard to know 
what was going on.


Bill McCarty

More information about the Snort-sigs mailing list