[Snort-sigs] disable /var/log/snort logging
bmccarty at ...483...
Thu May 8 21:59:06 EDT 2003
I've been seeing the Snort exploit that was recently published on
Packetstorm being used against port TCP/139 of one of my hosts, which is
not a Snort sensor <g>. The default Snort ruleset flags the NOPs in the
exploit. But, it's nice to know whether one's seeing a NetBIOS/SMB attack
or a Snort attack.
The following rule successfully detects the Packetstorm attack:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Snort p7191.sh attack
content:"|31c0 31db 31c9 51b1 0651 b101 51b1 0251|"; offset:0; )
It's a lousy rule, because it detects the exploit shellcode rather than the
underlying vulnerability. And, the offset value could likely be increased
to improve efficiency, since the shellcode is preceded by a fairly large
NOP sled. But, I'm a busy guy <g>; so it's the best I can do just now.
FYI, I've also seen some very large (>64k) UDP packets in my Snort capture
files. The tcpdump program chokes when it hits one. But, I've learned that
I can use tcpslice to exclude a few milliseconds of data from a packet
capture file and see what went on near the time of the large packets.
I don't know whether this symptom is related to either of the recently
published Snort vulnerabilities, some other Snort vulnerability, or yet
another cause. Since I'm no longer seeing this traffic, it's hard to know
what was going on.
More information about the Snort-sigs