[Snort-sigs] SID: 2329 - probable false positive

Matthew Watchinski mwatchinski at ...435...
Wed Jun 2 08:14:10 EDT 2004


Interesting....  I'd suggesting setting your SQL_SERVERS var to reduced the 
possibility of this false positive.

Cheers,
-matt

Domain Admin wrote:
> Hi,
> 
> I've observed a false positive on SID 2329 (MS-SQL probe response overflow
> attempt) - the vulnerability that is linked to MyDoom.
> 
> It seems to be triggered by a multiplayer game - took me a while to track that
> one down, until I noticed it was only at certain times of the day!  The game in
> question is a beta, "Joint Operations" by Novalogic.
> 
> Anyway, while this game is running, every now and then, Snort flags it up as
> hitting this signature.  A matching piece of data seems to come up every 3-5
> minutes and is UDP traffic between ports that are static for the duration of
> the game (both server and client).
> 
> Attached are a couple pages from ACID with the packet details. If anybody needs
> more details, please e-mail me direct (not on the list).
> 
> Regards,
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> ACID
> 	Alert 	
> Home <acid_main.php>   	
> Search <acid_qry_main.php?new=1>   	|   AG Maintenance 
> <acid_ag_main.php?ag_action=list>
> 
> [ Back 
> </acidlab/acid_qry_main.php?back=1&new=1&sig%5B0%5D=%3D&sig%5B1%5D=4&sig_type=1&submit=Query+DB&num_result_rows=-1> ]
> 
> 
>  *Queried DB on * : Mon May 31, 2004 12:04:55
> Meta Criteria 	Signature "url[bugtraq 
> <http://www.securityfocus.com/bid/9407>][cve 
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903>][icat 
> <http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0903>][snort 
> <http://www.snort.org/snort-db/sid.html?sid=2329>] MS-SQL probe response 
> overflow attempt"   ...clear... 
> <acid_qry_alert.php?clear_criteria=sig&clear_criteria_element=>
>   
> IP Criteria 	/    any /  
> Layer 4 Criteria	/    none /
> Payload Criteria 	/    any /  
> 
> Added 0 alert(s) to the Alert cache
> 
> *Alert #1*
> [ First ]    
> 
> --------------------------------------------------------------------------------
> Meta 	
> ID # 	Time 	Triggered Signature
> 1 - 32 	2004-05-29 23:53:51 	url[bugtraq 
> <http://www.securityfocus.com/bid/9407>][cve 
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903>][icat 
> <http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0903>][snort 
> <http://www.snort.org/snort-db/sid.html?sid=2329>] MS-SQL probe response 
> overflow attempt
> 
> Sensor 	name 	interface 	filter
> 192.168.4.3 	eth1 	 /none/ 
> 
> Alert
> Group 	  /none/ 
> 
> IP 	
> source addr 	  dest addr   	Ver 	Hdr Len 	TOS 	length 	ID 	flags 	offset 	TTL 
> chksum
> 38.119.64.202 <acid_stat_ipaddr.php?ip=38.119.64.202&netmask=32> 	192.168.4.3 
> <acid_stat_ipaddr.php?ip=192.168.4.3&netmask=32> 	4 	5 	0 	805 	30459 	0 	0 
> 113 	41952
> 
> FQDN 	Source Name 	Dest. Name
>  /Unable to resolve address/  	 /Unable to resolve address/ 
> 
> Options 	    /none /
> 
> UDP 	
> source port 	dest port 	length
> 32768 <http://www.snort.org/ports.html?port=32768> 	43351 
> <http://www.snort.org/ports.html?port=43351> 	785
> 
> Payload 	
> 
>  length = 777
> 
> 000 : 05 63 6D AE 82 E0 7D 89 0D E6 57 B9 E9 D3 5C DC   .cm...}...W...\.
> 010 : 5C 16 3F 05 DE 65 E5 15 97 EB 6C B7 98 62 90 70   \.?..e....l..b.p
> 020 : A9 7E 9C 3E 8E EE 9E C3 2C 1E 5B B5 B5 24 B0 A4   .~.>....,.[..$..
> 030 : 1F 2B BD 03 06 65 17 54 4E 20 5A B2 C3 85 5E 87   .+...e.TN Z...^.
> 040 : 02 D4 EC A1 B9 1F CA AB 7E B9 49 AF B8 17 EB 5C   ........~.I....\
> 050 : 78 0D 82 7E AD 1C E8 0C 9F 77 D6 82 2B A8 63 50   x..~.....w..+.cP
> 060 : 05 AB 47 EC D4 62 83 ED 27 EE 8D 2E B4 4B 65 3B   ..G..b..'....Ke;
> 070 : A6 0F 61 C3 C0 E5 6B 65 01 9F C6 66 79 C1 66 8A   ..a...ke...fy.f.
> 080 : 51 2E 92 C6 CE 4B F7 F5 B7 B0 64 F1 D7 85 16 E7   Q....K....d.....
> 090 : 44 03 4B D9 9C B7 45 73 38 07 3A D9 B2 16 B9 AC   D.K...Es8.:.....
> 0a0 : BE 2D 75 DA D5 5B BC FE C4 33 41 6E B8 C0 32 13   .-u..[...3An..2.
> 0b0 : 95 2C FF 8C 8C FA B8 A8 F4 F3 26 AC 7D 37 E9 19   .,........&.}7..
> 0c0 : 70 5D 9A E1 DB 8B 45 1F B8 2E 53 0B 22 E3 AF 8B   p]....E...S."...
> 0d0 : 1F C4 EC C0 C3 E9 91 C3 44 9D 14 C5 FD 5A 01 42   ........D....Z.B
> 0e0 : DD 7E 97 2C 07 9B F9 8C 71 EC 56 31 84 DB AC DB   .~.,....q.V1....
> 0f0 : 34 F8 2A BD DF 42 71 FE 54 43 55 17 38 F1 29 27   4.*..Bq.TCU.8.)'
> 100 : 8D 0C C0 A1 80 2E 51 0D E3 88 F8 B1 AC 71 C4 FD   ......Q......q..
> 110 : 57 3D 86 5F BD 13 B8 C7 96 85 3D 39 2B A8 CA 48   W=._......=9+..H
> 120 : FE 31 B7 F8 2B F2 8A 97 E3 FF 36 DE 9A FA AE 25   .1..+.....6....%
> 130 : E7 F0 32 F0 E0 1D 16 51 B1 96 B9 CD 4D 21 C5 17   ..2....Q....M!..
> 140 : 5C 91 F7 56 67 CA A6 B9 45 D5 77 1E F5 03 D3 DF   \..Vg...E.w.....
> 150 : 8C 78 AF 3E 4F 90 10 5F A1 A6 57 B4 DB 90 2E FB   .x.>O.._..W.....
> 160 : CE A9 08 A0 8A C9 E3 FB 81 71 D4 36 0B 69 06 1E   .........q.6.i..
> 170 : BF 9F 6C 03 4E 1F A4 D2 69 90 5F 32 79 BB BB C6   ..l.N...i._2y...
> 180 : 3F 19 4B 91 AE 42 0C 1D 29 1C 5B 41 39 72 A0 22   ?.K..B..).[A9r."
> 190 : 81 54 AC CE C0 A2 2F 87 91 00 0C BD C9 07 7F B0   .T..../........
> 1a0 : E1 FA 68 2A 7C 8B 4C 67 D1 7D 8B FF 3F BD B1 7E   ..h*|.Lg.}..?..~
> 1b0 : 03 5C B5 DB 99 37 B5 98 E8 08 66 69 A3 FD D9 4C   .\...7....fi...L
> 1c0 : 29 00 91 1D 2A 98 D7 41 58 9D 42 70 DB D3 A7 31   )...*..AX.Bp...1
> 1d0 : 56 61 18 AE C0 2F B5 C4 35 11 73 16 C4 52 E8 17   Va.../..5.s..R..
> 1e0 : 68 6A D9 91 3E 57 21 3C D5 F4 D7 D8 62 D3 66 77   hj..>W!<....b.fw
> 1f0 : 38 05 3F 09 D5 2B E3 11 9A 73 37 E8 E7 1C 11 59   8.?..+...s7....Y
> 200 : 40 A2 E5 6A 8C B9 3F 8B D3 D7 48 1D 9F 06 A3 D3   @..j..?...H.....
> 210 : 9B 36 A2 C6 BA 79 8D F9 5B 67 75 ED E4 54 44 34   .6...y..[gu..TD4
> 220 : CA 05 25 C3 D8 E2 7C AB EF B7 E3 96 D9 EF ED 02   ..%...|.........
> 230 : 91 30 B2 FB EC 33 1C 51 00 8E A5 4B F9 F3 FC D0   .0...3.Q...K....
> 240 : 58 F7 D7 0C 90 C8 89 8F 16 EA 32 DE F8 54 7E 4D   X.........2..T~M
> 250 : 7F 7C A0 35 1A 6E 0C 17 D2 DA 6F A5 4A B1 7A A4   |.5.n....o.J.z.
> 260 : 1A FF E7 80 E5 E3 DC E9 7C C2 53 FF FF 69 2A 25   ........|.S..i*%
> 270 : 5F 95 C9 A2 02 77 30 29 A0 8F FF A8 9D EF 95 CA   _....w0)........
> 280 : 50 3D E8 E6 8A 4A 76 C9 31 89 9F 5C 36 9A 1C 51   P=...Jv.1..\6..Q
> 290 : A7 57 E3 C0 7C BF 68 9F EF 1C 35 C4 BF E1 A8 03   .W..|.h...5.....
> 2a0 : CF 15 44 BB C4 4B 1A 10 A6 70 CA 8A 30 AB 9B 91   ..D..K...p..0...
> 2b0 : D7 DE 4C A5 7D 98 F4 DD 42 19 37 F1 02 30 A3 CC   ..L.}...B.7..0..
> 2c0 : 9B 74 81 26 16 9C 6A 59 CE A6 CB 23 71 D0 A5 49   .t.&..jY...#q..I
> 2d0 : E7 DE DB D3 94 CB CE E2 44 67 64 41 DF 44 3A 2C   ........DgdA.D:,
> 2e0 : BB 43 74 0C 4E 9A 87 76 24 B7 E8 B7 65 FE AF C3   .Ct.N..v$...e...
> 2f0 : 37 EB 1B 17 9B 68 EF 00 9A 27 C3 34 BE B4 12 AB   7....h...'.4....
> 300 : 48 51 70 C7 20 17 B6 C6 15                        HQp. ....
> 
> [ First ]    
> 
> Action
> 
> 
>       [Loaded in 1 seconds]
> 
> ACID v0.9.6b20-5.1 ( by Roman Danyliw <mailto:roman at ...2426...> as part of the 
> AirCERT <http://www.cert.org/kb/aircert/> project )
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> ACID
> 	Alert 	
> Home <acid_main.php>   	
> Search <acid_qry_main.php?new=1>   	|   AG Maintenance 
> <acid_ag_main.php?ag_action=list>
> 
> [ Back </acidlab/acid_qry_alert.php?back=1&submit=%230-%281-32%29> ]
> 
> 
>  *Queried DB on * : Mon May 31, 2004 12:06:41
> Meta Criteria 	Signature "url[bugtraq 
> <http://www.securityfocus.com/bid/9407>][cve 
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903>][icat 
> <http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0903>][snort 
> <http://www.snort.org/snort-db/sid.html?sid=2329>] MS-SQL probe response 
> overflow attempt"   ...clear... 
> <acid_qry_alert.php?clear_criteria=sig&clear_criteria_element=>
>   
> IP Criteria 	/    any /  
> Layer 4 Criteria	/    none /
> Payload Criteria 	/    any /  
> 
> Added 1 alert(s) to the Alert cache
> 
> *Alert #31*
>    
> 
> --------------------------------------------------------------------------------
> Meta 	
> ID # 	Time 	Triggered Signature
> 1 - 66 	2004-05-30 11:12:31 	url[bugtraq 
> <http://www.securityfocus.com/bid/9407>][cve 
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0903>][icat 
> <http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0903>][snort 
> <http://www.snort.org/snort-db/sid.html?sid=2329>] MS-SQL probe response 
> overflow attempt
> 
> Sensor 	name 	interface 	filter
> 192.168.4.3 	eth1 	 /none/ 
> 
> Alert
> Group 	  /none/ 
> 
> IP 	
> source addr 	  dest addr   	Ver 	Hdr Len 	TOS 	length 	ID 	flags 	offset 	TTL 
> chksum
> 217.154.121.209 <acid_stat_ipaddr.php?ip=217.154.121.209&netmask=32> 
> 192.168.4.3 <acid_stat_ipaddr.php?ip=192.168.4.3&netmask=32> 	4 	5 	0 	788 
> 31327 	0 	0 	123 	43618
> 
> FQDN 	Source Name 	Dest. Name
>  /Unable to resolve address/  	 /Unable to resolve address/ 
> 
> Options 	    /none /
> 
> UDP 	
> source port 	dest port 	length
> 32769 <http://www.snort.org/ports.html?port=32769> 	57453 
> <http://www.snort.org/ports.html?port=57453> 	768
> 
> Payload 	
> 
>  length = 760
> 
> 000 : 05 FB 30 01 83 AA BF A3 5C 6A 50 6D 3F C1 DB E2   ..0.....\jPm?...
> 010 : D6 E2 85 DE E8 70 97 85 84 98 21 2E 51 BD B7 A3   .....p....!.Q...
> 020 : D5 17 AF AF CE 66 7B 52 92 32 E6 34 29 C3 EA CF   .....f{R.2.4)...
> 030 : 39 AC 91 A0 98 40 13 1F E7 EC F8 BF EB 57 63 A4   9.... at ...2531...
> 040 : 28 3C B6 79 07 1C D0 FB BC C9 FE B1 CE 3C 08 87   (<.y.........<..
> 050 : 3B 7B 8D 3B 83 D3 B4 CF 9C AB 93 F8 17 4F 3D 51   ;{.;.........O=Q
> 060 : 00 34 B8 C0 76 67 36 96 C8 2A F1 14 A2 E3 C0 53   .4..vg6..*.....S
> 070 : EF D9 46 06 1E 99 5C B5 58 BA 67 25 5E 53 E9 37   ..F...\.X.g%^S.7
> 080 : D6 BC 2C 3C FE 64 3B 49 45 69 9C 43 6B F0 DE 22   ..,<.d;IEi.Ck.."
> 090 : 3A 9C 03 4A B3 4C 05 49 D0 D0 86 3C 43 ED 34 11   :..J.L.I...<C.4.
> 0a0 : A3 91 81 97 D1 41 0D 0E CB D4 47 E8 D2 F3 A8 09   .....A....G.....
> 0b0 : 83 51 BC 37 4D 6F 49 45 EE 57 65 D0 2B 54 7A D1   .Q.7MoIE.We.+Tz.
> 0c0 : F5 FE B0 C2 45 F2 98 7F A6 8F 30 DD D0 62 63 7F   ....E....0..bc
> 0d0 : 68 41 99 6E E2 B2 87 E1 20 A0 18 C0 E9 44 34 44   hA.n.... ....D4D
> 0e0 : CF C7 F4 8F 5F 6D B3 B8 6E 51 D6 8B AB 46 F9 91   ...._m..nQ...F..
> 0f0 : F9 EB 2D EC DD 7F 5D 96 15 61 86 CD 6D 3F B5 A8   ..-..]..a..m?..
> 100 : 5E 23 8B B2 CF CF 20 34 A6 38 8F 89 EF 04 C2 DA   ^#.... 4.8......
> 110 : 2D BC 01 C9 F4 5F 3A C7 CD B7 C0 87 63 C1 27 F2   -...._:.....c.'.
> 120 : 3D 3A 7F B9 7A F4 F6 65 32 5A 8B 1E 49 4D 71 D0   =:.z..e2Z..IMq.
> 130 : 7A 25 77 50 C4 C4 12 D0 45 3A D1 38 09 5E 1A F1   z%wP....E:.8.^..
> 140 : A3 5C 92 51 93 86 35 34 DC D6 9B 84 E7 87 28 3E   .\.Q..54......(>
> 150 : E0 02 9B 86 B2 8E AD 58 7E F1 D9 C2 53 4B 33 81   .......X~...SK3.
> 160 : DF BA 86 0D 73 CF B1 FA 88 8C C3 53 77 3F EF 84   ....s......Sw?..
> 170 : 17 6C B8 8C 01 D6 77 67 07 6E 06 65 46 E6 C0 C2   .l....wg.n.eF...
> 180 : BC B9 0E F4 03 8B 6D A0 29 18 8F 71 A1 A9 2A 4F   ......m.)..q..*O
> 190 : 12 9D D8 D1 6D 55 C5 5F 15 E6 2A 29 65 A0 BA E8   ....mU._..*)e...
> 1a0 : B3 1B E7 B7 CD 4F E4 09 FA 4F 9E 48 F9 34 CD 7D   .....O...O.H.4.}
> 1b0 : 33 73 BB 78 8E 25 11 5F 3A E1 4E DA 7E 57 49 B5   3s.x.%._:.N.~WI.
> 1c0 : 53 47 F0 6B 1C AD 0D 12 B2 1C 84 E6 FA 5E 4C 68   SG.k.........^Lh
> 1d0 : 5C 4A A8 AE 2E BD E2 05 53 8E D8 78 86 20 74 E9   \J......S..x. t.
> 1e0 : B5 52 BD 6E 73 95 98 F1 60 83 BF 66 6D 42 21 94   .R.ns...`..fmB!.
> 1f0 : D9 E5 4D 13 4D 5D 83 DD 79 4D A2 DD FD 10 82 6E   ..M.M]..yM.....n
> 200 : 1B A2 4A 11 2D 89 69 63 FD 53 5C 12 84 73 E3 17   ..J.-.ic.S\..s..
> 210 : AF 3F 08 C0 D2 54 3E 49 61 48 BE 9A 83 BF 67 BB   .?...T>IaH....g.
> 220 : 94 E4 C4 C3 D0 17 29 75 02 CD 1D 10 39 BE 2E BB   ......)u....9...
> 230 : 37 3F C2 71 71 71 8E 5B A4 EB B5 94 99 9A EF 9B   7?.qqq.[........
> 240 : 2F 44 C2 65 83 DC B2 E1 86 CD 28 CE F6 95 97 CE   /D.e......(.....
> 250 : 97 8A 33 15 76 D7 AB 1D B6 63 E5 C8 CD 55 9B 39   ..3.v....c...U.9
> 260 : 2C 29 D4 EC 16 95 67 B4 CC 81 6D 79 EF 2C 9D 9C   ,)....g...my.,..
> 270 : CC F0 48 B8 D6 71 7E E2 82 E6 D3 83 97 FB EC 12   ..H..q~.........
> 280 : 88 CA 3A F5 B3 B8 3C BE 30 AC A8 E1 4D 4C C9 B9   ..:...<.0...ML..
> 290 : 70 97 D5 96 6D 46 14 74 2D 0E 7B 0E ED 5A 53 51   p...mF.t-.{..ZSQ
> 2a0 : 36 04 23 5E 93 4B 1F 59 F0 E2 87 8A 31 7D 6F 97   6.#^.K.Y....1}o.
> 2b0 : 78 86 D0 92 AA EA 11 8A 37 94 1E 3C 41 74 1C 7C   x.......7..<At.|
> 2c0 : 1E 0B A6 75 6A 22 54 18 BD C5 CE CA D6 75 5B 40   ...uj"T......u[@
> 2d0 : DD F7 8A F6 5B 90 E0 74 57 6D EF 85 80 48 6F 8C   ....[..tWm...Ho.
> 2e0 : 17 8C 9A 57 39 F4 83 E2 41 EA 24 3E 04 32 B9 4C   ...W9...A.$>.2.L
> 2f0 : E1 D0 14 88 0B 3A DA B9                           .....:..
> 
>    
> 
> Action
> 
> 
>       [Loaded in 1 seconds]
> 
> ACID v0.9.6b20-5.1 ( by Roman Danyliw <mailto:roman at ...2426...> as part of the 
> AirCERT <http://www.cert.org/kb/aircert/> project )
> 





More information about the Snort-sigs mailing list