[Snort-sigs] New Bleeding rules submitted

Matthew Jonkman matt at ...2436...
Tue Jun 29 19:32:00 EDT 2004


Thanks very much for the suggestions Matt. I don't know anything about 
the original exploit, so I'll leave the rules up as posted for a bit.

Syke, if you could update them I'd appreciate it. The pcre rules to get 
any set of overflow characters is gonna be key.

Thanks

Matt

Matthew Watchinski wrote:

> Not to nit pick but a couple suggestions.
> 
> 1. When using | hex | representation in rules separate them out.
> 
> IE  | 00000001 | is easier to to read as | 00 00 00 01 |
> 
> 2. When adding references for things that detect specific protocols, 
> reference the protocol documentation.  Not an analysis of the protocol 
> by a 3rd party.   There are a number of good sources for p2p 
> documentation.  www.efarm-project.net has a very comprehensive doc on 
> the ed2k 3.1 protocol.
> 
> 3. Don't write rules for specific exploits when functionality for 
> detecting the vulnerability exists.
> 
> IE sid:2000329 is not a good idea as the attacker can change a to b or c 
> or d and it will have the same effect.  I haven't looked at DCC traffic 
> on the wire in a while but I would assume that some prce or some 
> isdataat would find this vulnerability every time no matter what 
> characters i send.
> 
> Remember locate the triggering conditions.  Since 2000329 doesn't have a 
> reference I can't look up the vuln to figure out the triggering 
> conditions but I'm assuming they are:
> 1. DCC SEND command
> 2. Some number of characters
> 
> So look for just that.  Find the DCC SEND, then figure out how to count 
> the number of bytes between the filename terminator.  Alert with then 
> count is greater than X.
> 
> 4. Don't allow rules without references..... bad bad bad bad.
> 5. Don't use the flags keyword if you don't have to.
> 
> 6. Always try and use a flow statement when dealing with stateful things.
> 
> 7. Never use any any -> any any if you can avoid it.
> 
> 8. Always use variables like $HOME_NET and $EXTERNAL_NET net in your rules
> 
> 9.  alert tcp any 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.11 
> DCC Buffer Overflow"; flow:to_client, established; content:DCC SEND "a a 
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
> a a a a a a a a a a a a a a a a a a a a a a a a"; nocase; 
> classtype:attempted-dos; priority:2; sid:2000329; rev:1; )
> 
> content is always enclosed in quotes.  This rule will probably not work 
> correctly at all.
> 
> should be content:"DCC SEND lots of a's";
> 
> 10. Setting a priority in a rule that is different than the classtype is 
> not generally accepted practice.  No one ever agrees on the priority of 
> any event, leave that up to the end user, and leave priority out of the 
> rule :)
> 
> Hope I'm not to big a nit pick, and I hope that above is useful.
> 
> Cheers,
> -matt
> 
> Matthew Jonkman wrote:
> 
>> A number of new submissions today, from Chich Thierry and Sykes. 
>> Thanks for your effort gentlemen. There are posted to bleeding.rules 
>> now, they do not cause issues. Please let us know about their 
>> accuracy. And keep the sigs coming.
>>
>> # By Chich Thierry
>> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k connection 
>> to server"; content:"|e3|"; offset:0; depth:1; content:"|00000001|"; 
>> offset:2; depth:4; classtype:policy-violation; 
>> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
>> 1; sid:2000330;)
>> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file 
>> search"; content:"|e3|"; offset:0; depth:1; content:"|00000016|"; 
>> offset:2; depth:4; classtype:policy-violation; 
>> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
>> 1; sid:2000331;)
>> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k request 
>> part"; content:"|e3|"; offset:0; depth:1; content:"|00000047|"; 
>> offset:2; depth:4; classtype:policy-violation; 
>> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
>> 1; sid:200332;)
>> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P ed2k file request 
>> answer"; content:"|e3|"; offset:0; depth:1; content:"|00000059|"; 
>> offset:2; depth:4; classtype:policy-violation; 
>> reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; rev: 
>> 1; sid:3000333;)
>> alert tcp any any -> any any (msg:"BLEEDING-EDGE P2P BitTorrent peer 
>> sync"; content:"|0000000d0600|"; offset:0; depth:12; flags:PA; 
>> classtype:policy-violation; rev:1; sid:2000334;)
>>
>> # From Syke at ...2593...
>> alert tcp any 6667 -> $HOME_NET any (msg:"BLEEDING-EDGE mIRC <=6.11 
>> DCC Buffer Overflow"; flow:to_client, established; content:DCC SEND "a 
>> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
>> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
>> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a 
>> a a a a a a a a a a a a a a a a a a a a a a a a a a a a"; nocase; 
>> classtype:attempted-dos; priority:2; sid:2000329; rev:1; )
>>
>> Matt
>>
>>
>> -------------------------------------------------------
>> This SF.Net email sponsored by Black Hat Briefings & Training.
>> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
>> self defense, top technical experts, no vendor pitches, unmatched 
>> networking opportunities. Visit www.blackhat.com
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list