[Snort-sigs] Q on

D Murdoch djmurd at ...1841...
Fri Sep 5 05:37:08 EDT 2003


> 
> From: snort-sigs-request at lists.sourceforge.net
> Date: 2003/09/04 Thu PM 11:22:48 EDT
> To: snort-sigs at lists.sourceforge.net
> Subject: Snort-sigs digest, Vol 1 #693 - 8 msgs
> 
> Send Snort-sigs mailing list submissions to
> 	snort-sigs at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
> 	snort-sigs-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
> 	snort-sigs-admin at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
> 
> 
> Today's Topics:
> 
>    1. UPDATE: flexresp2 (new and improved active response for Snort) (Jeff Nathan)
>    2. MUMU (=?iso-8859-1?q?mos=20def?=)
>    3. RE: MUMU (Robert Wagner)
>    4. sid 567 and new mail relay signatures (Jon Hart)
>    5. P2P GNUTella GET causes lots of false positives (Shane Smith)
>    6. Unified output for barnyard (Michael Miller)
>    7. Re: Unified output for barnyard (Dusty Hall)
>    8. Re: sid 567 and new mail relay signatures (Jon Hart)
> 
> --__--__--
> 
> Message: 1
> Date: Thu, 4 Sep 2003 02:59:24 -0700
> From: Jeff Nathan <jeff at ...95...>
> To: snort-announce at lists.sourceforge.net,
>   snort-users at lists.sourceforge.net, snort-devel at lists.sourceforge.net,
>   snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] UPDATE: flexresp2 (new and improved active response for Snort)
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> NOTE: This is an update to the release of sp_respond2 yesterday based  
> upon feedback from Chris Green.  It contains 2 minor bugfixes, allows  
> for running Snort as a non-root user with active response and re-adds  
> the ability to send TCP resets to the client (ONLY to be used for  
> attack-response rules).
> 
> At long last I am proud to release flexresp2, the improved version of  
> active response for Snort.
> 
>  From the readme file:
> ***********************
> To compensate for the fact that Snort cannot possibly send a TCP reset  
> to the server (receiving host) or client (sending host) before the  
> offending packet reaches the destination, Snort will transmit a minimum  
> of 3 TCP reset packets with shifting TCP ack numbers in an attempt to  
> brute-force the connection into an unusable state.
> 
> Flexresp2 will automatically calculate the original TTL when sending a  
> response packet.
> 
> Flexresp2 will not respond to TCP packets with the SYN, FIN or RST flag  
> set.
> 
> Link-layer active response (crafting complete Ethernet frames) can be  
> used to completely bypass the routing table and force response packets  
> to be sent out a specified interface.
> 
> Snort running on Unix-like systems no longer requires root privileges  
> when active response (flexresp2) is used.  Instead the -u and -g  
> command line options can be used.
> ***********************
> 
> All the files comprising flexresp2 (sp_respond2) are available here:
> http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/
> 
> A readme is available here:
> http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/ 
> sp_respond2.readme
> 
> Please read this readme document carefully.  It has been written to  
> help anyone interested in using flexresp2 and details the new features  
> available in this release.
> 
> All the files have been MD5 checksummed, a checksum file is available  
> here:
> http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/MD5
> 
> A detached PGP signature has been created for all the files.  To verify  
> the signatures using GPG, import my public key from the MIT keyserver  
> using the command:
> 
> gpg --keyserver pgp.mit.edu --recv-key 6923D3FD
> 
> 
> Once you have obtained my PGP public key, you can verify the integrity  
> of the flexresp2 files using commands resembling the following:
> 
> gpg --verify sp_respond2.diff.gz.asc sp_respond2.diff.gz
> 
> 
> Please reference the BUGS file contained with the Snort distribution  
> before reporting any bugs in this software.
> 
> Special thanks to Dragos Ruiu, Jed Haile, Jose Nazario, Mike Davis,  
> Chris Reid and Chris Green for all their suggestions and review.
> 
> Enjoy!
> 
>   -Jeff
> 
> - --
> http://cerberus.sourcefire.com/~jeff       (gpg key available)
> "Great spirits have always encountered violent opposition from
> mediocre minds."   - Albert Einstein
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (Darwin)
> 
> iD8DBQE/Vw0CEqr8+Gkj0/0RAsBTAJwOzWq9jaHmc1BWkKyKHLj3X7DkeQCgxuzf
> nlslujYrKFvcZLJQMJmocQs=
> =Bmf0
> -----END PGP SIGNATURE-----
> 
> 
> 
> --__--__--
> 
> Message: 2
> Date: Thu, 4 Sep 2003 12:33:26 +0200 (CEST)
> From: =?iso-8859-1?q?mos=20def?= <mosdef_it at ...1544...>
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] MUMU
> 
> i'M LOOKING FOT THE SIGNATURE ABOUT THE WORM W32.MUMU
> B.
> PLEAZ HELP MY MY NET IS FULL ABOUT THIS....SH*T
> 
> ______________________________________________________________________
> Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam
> http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
> 
> 
> --__--__--
> 
> Message: 3
> From: Robert Wagner <rwagner at ...447...>
> To: 'mos def' <mosdef_it at ...1544...>, snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] MUMU
> Date: Thu, 4 Sep 2003 07:02:09 -0500 
> 
> There appear to be lots of items to create a signature for.  Look at:
> http://securityresponse.symantec.com/avcenter/venc/data/w32.mumu.b.worm.html
> 
> -----Original Message-----
> From: mos def [mailto:mosdef_it at ...1544...]
> Sent: Thursday, September 04, 2003 5:33 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] MUMU
> 
> 
> i'M LOOKING FOT THE SIGNATURE ABOUT THE WORM W32.MUMU
> B.
> PLEAZ HELP MY MY NET IS FULL ABOUT THIS....SH*T
> 
> ______________________________________________________________________
> Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus,
> il filtro Anti-spam
> http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> --__--__--
> 
> Message: 4
> Date: Thu, 4 Sep 2003 15:20:17 -0400
> From: Jon Hart <warchild at ...288...>
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] sid 567 and new mail relay signatures
> 
> Greetings,
> 
> This is in regards to an email I sent a long while back:
> 
> http://marc.theaimsgroup.com/?l=snort-sigs&m=101176018929591&w=2
> 
> I'm now reinvestigating the issue, as nearly all of the alerts I get for
> sid 567 are from external mail servers telling ours that they can't
> relay.  Although people are always trying to relay mail through our
> servers, snort is not catching them because Postfix throws a slightly
> different error message.
> 
> With that in mind, I did some poking at mail servers that are scattered
> around our network:
> 
> MTA:
> Version:
> Relay error code/message:
> 
> Sendmail
> 8.9.3/8.8.7
> 551 we do not relay
> 
> Sendmail
> 8.11.0/8.11.0
> 550 5.7.1 test at ...1837... Relaying denied
> 
> Exim
> 3.36
> 550 relaying to <test at ...1838...> prohibited by administrator
> 
> Postfix
> 1.1.11
> 554 <test at ...1838...>: Recipient address rejected: Relay access denied
> 
> Microsoft ESTMP
> 5.0.2195.6713
> 550 5.7.1 Unable to relay for test at ...1838...
> 
> While this isn't a comprehensive list of mail servers or possible mail
> relay errors, this are the major ones and to the best of my knowledge,
> none of these have modified configs that might throw very nonstandard
> relay error messages.
> 
> The errors that put the intended recipient in the error message are
> slightly more difficult to write rules for because a really long email
> address could push the actual interesting bits of the message very far
> off into the packet, therefore making 'distance' based rules impossible.
> 
> Much like sids 982-984 and 1945 (which use the same msg, but different
> contents), I think it'd be great to have a few more rules to detect SMTP
> relaying.  I'm currently testing two variants of sid 567:  one which
> matches "551 we do not relay" for older versions of sendmail, and
> another which matches "550 relaying to".  
> 
> I'll let the list know how things go.
> 
> Thoughts on this?
> 
> -jon
> 
> 
> --__--__--
> 
> Message: 5
> From: "Shane Smith" <shane at ...1839...>
> To: <snort-sigs at lists.sourceforge.net>
> Date: Thu, 4 Sep 2003 15:29:01 -0400
> Subject: [Snort-sigs] P2P GNUTella GET causes lots of false positives
> 
> Hey Folks,
> 
> I'm new to snort, so sorry if this has been covered recently.  SID 1432
> regarding p2p networks seems weird to me.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET";
> flow:to_server,established; content:"GET "; offset:0; depth:4;
> classtype:policy-violation; sid:1432; rev:4;)
> 
> If I am reading this correctly, than any packet containing "GET" headed out
> of my network, destined for any port other than 80 will trigger this rule.
> 
> Won't this cause a false positive with every HTTP GET request to any
> external server with non-standard ports?
> 
> For example:
> http://www.nhc.rtp.nc.us:8080/
> 
> Simply hitting that URL, causes the rule to fire.
> 
> Thanks folks,
> Shane
> 
> 
> 
> --__--__--
> 
> Message: 6
> From: Michael Miller <michael.miller at ...1811...>
> To: snort-sigs at lists.sourceforge.net
> Date: Thu, 4 Sep 2003 14:19:44 -0600 
> Subject: [Snort-sigs] Unified output for barnyard
> 
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
> 
> ------_=_NextPart_001_01C37321.E1669ABE
> Content-Type: text/plain
> 
> I must be missing something BIG, but I'm trying to get snort to output in
> unified format (for Barnyard) and I keep getting either Snort's
> Ascii/IPaddress-per-folder or TCPdump format. I've got the unified output
> post-processor uncommented, and I've GOOGLED, but I can't, for the life of
> me, figure out how to produce the unified alert and log files. (using the
> latest current stable version of snort from the CVS tree.)
> 
> ------_=_NextPart_001_01C37321.E1669ABE
> Content-Type: text/html
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
> 
> 
> <META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
> <BODY>
> <DIV><SPAN class=414392020-04092003><FONT face=Arial size=2>I must be missing 
> something BIG, but I'm trying to get snort to output in unified format (for 
> Barnyard) and I keep getting either Snort's Ascii/IPaddress-per-folder or 
> TCPdump format. I've got the unified output post-processor uncommented, and I've 
> GOOGLED, but I can't, for the life of me, figure out how to produce the unified 
> alert and log files. (using the latest current stable version of snort from 
> the CVS tree.)</FONT></SPAN></DIV></BODY></HTML>
> 
> ------_=_NextPart_001_01C37321.E1669ABE--
> 
> 
> --__--__--
> 
> Message: 7
> Date: Thu, 04 Sep 2003 16:16:40 -0500
> From: "Dusty Hall" <halljer at ...1195...>
> To: <snort-sigs at lists.sourceforge.net>,<michael.miller at ...1811...>
> Subject: Re: [Snort-sigs] Unified output for barnyard
> 
> Michael,
> 
>   Could you give us an example of your snort.conf?
> 
>   Here's what ours looks like:
> 
> output alert_unified: filename unified.alert, limit 512
> output log_unified: filename unified.log, limit 512
> 
> 
> -Dusty
> 
> 
> 
> >>> Michael Miller <michael.miller at ...1811...> 9/4/2003 3:19:44 PM
> >>>
> I must be missing something BIG, but I'm trying to get snort to output
> in
> unified format (for Barnyard) and I keep getting either Snort's
> Ascii/IPaddress-per-folder or TCPdump format. I've got the unified
> output
> post-processor uncommented, and I've GOOGLED, but I can't, for the life
> of
> me, figure out how to produce the unified alert and log files. (using
> the
> latest current stable version of snort from the CVS tree.)
> 
> 
> --__--__--
> 
> Message: 8
> Date: Thu, 4 Sep 2003 19:50:09 -0400
> From: Jon Hart <warchild at ...288...>
> To: Jason <security at ...704...>
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] sid 567 and new mail relay signatures
> 
> On Thu, Sep 04, 2003 at 05:55:10PM -0400, Jason wrote:
> > a thought to consider
> > 
> > why not a byte_test for >= 550 as a status code in conjunction with the 
> > content "relay" between two newlines.
> 
> 550+ might get a few too many false positives.  See section 4.2 of
> http://www.faqs.org/rfcs/rfc821.html for some error codes.  Maybe if we
> assume some range, like 550-555, that might work a bit better.  I don't
> recall ever seeing newlines...  
> 
> Another thing I've been seeing lately is mail servers throwing 550
> errors if the content is unacceptable (i.e., virus), so this makes
> things difficult because the number of alerts could really skyrocket.
> 
> > It is not a perfect solution but forging and crafting should be a non 
> > issue since the server is the one returning the status code. Wonder what 
> > performance impacts there would be too but since there would be several 
> > content checks it should be ok.
> 
> Very true, especially given that this rule uses 'flow'.  Before, when
> simple flags were used, any jerk with a packet crafter could really ring
> some bells.  I don't think there will be any sort of performance hit.
> At worst, there might be two or three content matches, which is no worse
> than existing rules.
> 
> -jon
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> End of Snort-sigs Digest
> 

Don Murdoch, Systems Engineer





More information about the Snort-sigs mailing list