[Snort-sigs] sid: 2486 - false positive and false negatives

Fabio Panigatti ml-panigatti at ...3099...
Fri Jun 24 09:01:35 EDT 2005


Curent Rule
-----------
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (
    msg:"DOS ISAKMP invalid identification payload attempt"; 
    content:"|05|"; depth:1; offset:16;
    byte_test:2,>,4,30; 
    byte_test:2,<,8,30; 
    reference:bugtraq,10004; reference:cve,2004-0184; 
    classtype:attempted-dos; 
    sid:2486; rev:5;
)

False positive
--------------
The ISAKMP datagrams that triggered this alert cannot crash tcpdump.

~$ tcpdump -foobar 2>&1|grep tcpdump\ version
tcpdump version 3.6
                ^^^
~$ tcpdump -nvvvXs0 -r snort.pcap.log.1116667322 port 500
03:23:18.429627 x.x.x.x.500 > x.x.x.x.500 :  [udp sum ok]isakmp 1.0 
msgid 00000000 cookie fe64115c98880034->b2dc42d8a23e2f3f: phase 1 ? 
ident[E]: [|id] [tos 0x38]  (ttl 57, id 17435, len 96)
0x0000   4538 0060 441b 0000 3911 c942                  E8.`D...9.......
0x0010             01f4 01f4 004c 29af fe64 115c        .........L)..d.\
0x0020   9888 0034 b2dc 42d8 a23e 2f3f 0510 0201        ...4..B..>/?....
0x0030   0000 0000 0000 0044 15f4 0006 8fea 4a10        .......D......J.
0x0040   40e5 b26d 133d 1680 5990 43a9 ece2 beeb        @..m.=..Y.C.....
0x0050   3e6a 7076 e3e6 f334 efa3 5cb7 477b 76e1        >jpv...4..\.G{v.

The DoS isn't effective because Identification Payload is encrypted,
so the vulnerable protocol decoding routine does not run. This issue
is not pointed out in known vulnerability advisories. Unfortunately,
the rule (rev: 5) does not check for the "encrypted" flag.

0x0020   9888 0034 b2dc 42d8 a23e 2f3f 0510 0201        ...4..B..>/?....
                                              ^^
Additionally, the "Protocol ID" byte must be >8 to crash tcpdump but
this value isn't checked.

False negative
--------------
The current values for the payload length byte_test checks are wrong.
Tested on tcpdump 3.6.

Conclusions
-----------
The actual rule can alert on ISAKMP datagrams forged by public "poc"
code but not on real world DoS attacks.

Some rare false positives can be avoided with stricter ISAKMP header
checks.

Local fix (with comments)
-------------------------
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (
    msg:"DOS ISAKMP invalid identification payload attempt"; 
    content:"|05|"; depth:1; offset:16;
    byte_test:1,!&,1,19;  <===== encrypted flag
    byte_test:1,>,8,32;   <===== protocol ID
    byte_test:2,>,0,30;  |
    byte_test:2,<,10,30; |<===== new payload length check
    byte_test:2,!=,8,30; |
    reference:bugtraq,10004; reference:cve,2004-0184; 
    classtype:attempted-dos; 
    sid:xxxxxxx; rev:x;
)


Fabio




More information about the Snort-sigs mailing list