[Snort-sigs] SID 663 - Revision 6 - False Positives question

Erik Alexander Løkken eal at ...835...
Thu May 15 15:36:06 EDT 2003


After upgrading the Snort signatures last night, I've started 
to experience alot of false positives related to SID 663.
After going through the packets logged by Snort I'm not able
to see the sed command reffered in the Signature documentation
at snort.org. (http://www.snort.org/snort-db/sid.html?sid=663) .

I've not experienced any false positives with the signature 
before revision 6. 

Why was the signature updated? And is it possible that the 
stream reassmble cause this signature to create false positives?
All of the packets I have verified consist of more than one packet
reassembled with the stream preprocessor. But none of them include
the sed command following a pipe character.

The signature used to look like this:

old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.8 overflow"; flow:to_server,established; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:4;)

Now it look like this:

new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:6;)

As far as I can see from the exploit example on secutiyfocus. It 
also seems like it is a "<" character between "rcpt to" and the | . Should'nt
that be included aswell? 

Since the exploit needs the debug command I suggest that it 
is added to the signature.

A new signature could maybe look like this: 

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed command attempt"; flow:to_server,established; content:"debug"; nocase; content:"rcpt to\:"; nocase; content:"<\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:6;)

Or am I missing something here?

/erik




More information about the Snort-sigs mailing list