[Snort-sigs] New Bleeding rules submitted

Matthew Watchinski mwatchinski at ...435...
Tue Jun 29 09:20:03 EDT 2004


Not to nit pick but a couple suggestions.

1. When using | hex | representation in rules separate them out.

IE  | 00000001 | is easier to to read as | 00 00 00 01 |

2. When adding references for things that detect specific protocols, 
reference the protocol documentation.  Not an analysis of the protocol 
by a 3rd party.   There are a number of good sources for p2p 
documentation.  www.efarm-project.net has a very comprehensive doc on 
the ed2k 3.1 protocol.

3. Don't write rules for specific exploits when functionality for 
detecting the vulnerability exists.

IE sid:2000329 is not a good idea as the attacker can change a to b or c 
or d and it will have the same effect.  I haven't looked at DCC traffic 
on the wire in a while but I would assume that some prce or some 
isdataat would find this vulnerability every time no matter what 
characters i send.

Remember locate the triggering conditions.  Since 2000329 doesn't have a 
reference I can't look up the vuln to figure out the triggering 
conditions but I'm assuming they are:
1. DCC SEND command
2. Some number of characters

So look for just that.  Find the DCC SEND, then figure out how to count 
the number of bytes between the filename terminator.  Alert with then 
count is greater than X.

4. Don't allow rules without references..... bad bad bad bad. 

5. Don't use the flags keyword if you don't have to.

6. Always try and use a flow statement when dealing with stateful things.

7. Never use any any -> any any if you can avoid it.

8. Always use variables like $HOME_NET and $EXTERNAL_NET net in your rules

9.  alert tcp any 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.11 
DCC Buffer Overflow"; flow:to_client, established; content:DCC SEND "a a 
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
a a a a a a a a a a a a a a a a a a a a a a a a"; nocase; 
classtype:attempted-dos; priority:2; sid:2000329; rev:1; )

content is always enclosed in quotes.  This rule will probably not work 
correctly at all.

should be content:"DCC SEND lots of a's";

10. Setting a priority in a rule that is different than the classtype is 
not generally accepted practice.  No one ever agrees on the priority of 
any event, leave that up to the end user, and leave priority out of the 
rule :)

Hope I'm not to big a nit pick, and I hope that above is useful.

Cheers,
-matt

Matthew Jonkman wrote:

> A number of new submissions today, from Chich Thierry and Sykes. 
> Thanks for your effort gentlemen. There are posted to bleeding.rules 
> now, they do not cause issues. Please let us know about their 
> accuracy. And keep the sigs coming.
>
> # By Chich Thierry
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection 
> to server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|"; 
> offset:2; depth:4; classtype:policy-violation; 
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
> 1; sid:2000330;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file 
> search"; content:"|e3|"; offset:0; depth:1; content:"|00000016|"; 
> offset:2; depth:4; classtype:policy-violation; 
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
> 1; sid:2000331;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k request 
> part"; content:"|e3|"; offset:0; depth:1; content:"|00000047|"; 
> offset:2; depth:4; classtype:policy-violation; 
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
> 1; sid:200332;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file request 
> answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|"; 
> offset:2; depth:4; classtype:policy-violation; 
> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
> 1; sid:3000333;)
> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P BitTorrent peer 
> sync"; content:"|0000000d0600|"; offset:0; depth:12; flags:PA; 
> classtype:policy-violation; rev:1; sid:2000334;)
>
> # From Syke at ...2593...
> alert tcp any 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.11 
> DCC Buffer Overflow"; flow:to_client, established; content:DCC SEND "a 
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a"; nocase; 
> classtype:attempted-dos; priority:2; sid:2000329; rev:1; )
>
> Matt
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list