[Snort-sigs] rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow

Joseph Gama josephgama at ...144...
Wed Jul 21 11:49:07 EDT 2004


--- Matthew Jonkman <matt at ...2436...> wrote:
> Questions inline:
> 
> Joseph Gama wrote:
> 
> > #(create packets-DOS, tunneling, etc)
> > #libnetnt.dll
> > #libnet.dll
> > #libdnet.dll
> > 
> > #(read packets-sniffer, etc)
> > #wpcap.dll
> > #rpklib.dll
> > 
> > #(all purpose, Trojan, RAT, etc)
> > #socket.dll
> > #ws2_32.dll
> > #wsock32.dll
> > #packet32.dll
> > #packet.dll
> > #iphlpapi.dll
> > #wininet.dll
> > 
> > #(ShellCode, RAT)
> > #cmd.exe
> > #\cmd.exe
> > #explorer.exe
> > #shell32.dll
> > 
> > #(DOS, ping)
> > #icmp.dll
> > 
> > #local network(net send, enumerate)
> > #netapi32.dll 
> > 

Hi Matt, thank you for the feedback! :)

> 
> I'm concerned about falses on these. Backups,
> program downloads, 
> executing programs across the network, etc, would
> likely trip a number 
> of them.
> 
> Have you been using them Joseph? How accurate are
> they? Anyone else 
> tried them?

My tests are very limited, kind of academic...
Executing programs across the network wouldn't trip
them because they $EXTERNAL_NET any -> $HOME_NET any.
I think that they should be more accurate than
detecting file extensions. Some are very common with
comm apps but others are at least very suspicious. How
many legitimate apps call cmd.exe? wpcap.dll is
usually in a sniffer, rpklib.dll is an excellent
library mostly used by RAT's or worms but I have seen
legitimate tools using it as well. When downloading a
freeware text editor, screensaver or game you don't
expect it to be able to connect to the internet,
right? This is all very relative.

> 
> > 
> > 
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any
> > (msg:"Invalid fragment+TCP flags"; dsize:0; ack:0;
> > fragbits:!M; flags:!AP,12; window:2048;
> > reference:arachnids,162; classtype:bad-unknown;
> > sid:99999; rev:1;)
> > 
> Question for the sourcefire folks, is this type of
> packet not detected 
> by existing means? And is flags the way to annotate
> it, or should it be 
> something new? I understand flags is obsoloted, but
> can't find 
> documentation on a better way. Or is that just flags
> for flow?

Which flags are legal in a fragmented packet? How does
it work in OS's other than Linux and Windows? This is
a hot issue and it will create a long debate. Let's
hear from the gurus.

> 
> 
> > alert tcp any any -> any any (msg:"Adobe Acrobat
> > Reader XFDF possible buffer overflow";
> > content:"application/vnd.adobe.xfdf"; reference:
> url,
> > http.www.nextgenss.com/advisories/adobexfdf.txt;
> > classtype:bad-unknown; sid:99999; rev:1;)
> > 
> > 
> And not to shoot down everything you did Joseph, :) 
> this is going to be 
> chuck full of falses. The filetype is legitmate,
> there's nothing to 
> differentiuate this from a false. And I know I hot
> these files quite a 
> bit (and are all legitimate). Is there something we
> can add to it to 
> identofy a malicious hit?

No problem! :)
No, there is no way to identify malicious code. At
least we can know when id such a file was downloaded.
If you use application/vnd.adobe.xfdf with any file
even binary ones, it will happen, that is why it is so
dangerous.

Actually I am surprised that no one has yet tried my
rules for NETBIOS access. I thought they would be a
good subject for discussion.

Peace,

Joseph

> 
> Thanks for the work Joseph.
> 
> Matt
> 



	
		
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/




More information about the Snort-sigs mailing list