[Snort-sigs] False positive sid:498

Paul Schmehl pauls at ...1311...
Tue Mar 22 10:06:48 EST 2005


/usr/local/share/snort/attack-responses.rules:alert ip any any -> any any 
(msg:"ATTACK-RESPONSES id check returned root"; 
content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)

Dest port 25

PAYLOAD:
 /usr/bin/su....
.original adv:..
www.idefense.com
/application/poi
/display?id=219&
type=vulnerabili
ties....original
 exploit:..http:
//fakehalo.us/xo
sx-cf.c......---
 example usage -
--....server:/tm
p v9$ id..uid=50
2(v9) gid=502(v9
) groups=502(v9)
..server:/tmp v9
$ gcc xosx-cf.c
-o xosx-cf..serv
er:/tmp v9$ ./xo
sx-cf..(*)MacOS
X[CF_CHARSET_PAT
H]: local root e
xploit...(*)by:
v9 at ...3034...,
found by iDefens
e adv. (anon)...
.[*] setting up
the environment.
..[*] executing
su... (press ENT
ER at the "Passw
ord: " prompt)..
..Password:..sh-
2.05b# id..uid=0
(root) gid=502(v
9) groups=502(v9
)......--- xosx-
cf.c ---..../*[
MacOS X[CF_CHARS
ET_PATH]: local
root exploit. ]*
********.. *

Shouldn't this rule exclude port 25?
/usr/local/share/snort/attack-responses.rules:alert ip any any -> any !25 
(msg:"ATTACK-RESPONSES id check returned root"; 
content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list