[Snort-sigs] FPs on sid 159

Paul Schmehl pauls at ...1311...
Thu Mar 2 13:15:04 EST 2006


This rule has been bugging me for a while.  As you can see, all it looks 
for is two hypens side by side.  Unfortunately, the Arachnids site appears 
to be down, so I have no way of knowing how they decided to look for those 
two characters, but, as you can see from the payload below, it's trivial to 
trip this alert with encrypted or binary packets.

Here's the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File 
List"; flow:to_server,established; content:"--"; reference:arachnids,79; 
classtype:misc-activity; sid:159; rev:6;)

Here's the explanation on snort.org:
<http://www.snort.org/pub-bin/sigs.cgi?sid=159>

Which includes this:

The server portion opens TCP port 5031 by default to establish a connection 
between client and server.

The site that hosts information about the trojan says the same thing:

<http://www.dark-e.com/archive/trojans/NetMetro/104/index.shtml>

Default port: 5031 TCP
Can port be changed: No

So why is the rule looking for dst port 5032?  Why isn't it looking for src 
port 5031?  Or dst port 5031?

This site concludes that it's a false positive.

<http://security.raffy.ch/projects/Raffael_Marty_GCIA/node14.html>

The traffic triggering this alert has source ports of 20 and 80, and a 
destination port of 5032. These are therefore valid FTP data and HTTP 
connections3.2. Matching the contents-part of the signature ("--") easily 
happens in this type of data. Severity: 0 (false positive)

The src host has port 20 open, so naturally I tried to ftp to it, and viola!

} ftp 211.190.235.155
Connected to 211.190.235.155.
220 \uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff 
\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff 
\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff
Name (211.190.235.155:pauls): anonymous
331 User name okay, please send complete E-mail address as password.
Password:
530 Anonymous \uffff\uffff\uffff\uffff\uffff\uffff 
\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff 
\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff
Login failed.
Remote system type is UNIX.
Using ascii mode to transfer files.

Here's the payload.  I've got six more just like it:

length = 1380

000 : 1F 38 82 D0 65 A8 BA 6E 8A 6D F7 0B CC 3E CD 6A   .8..e..n.m...>.j
010 : D1 E6 0F 6F F5 A7 4E 8B 38 67 EB 97 61 C2 9B EB   ...o..N.8g..a...
020 : 73 0E F2 F7 42 59 A5 99 CA 5F 35 32 B7 58 C5 A5   s...BY..._52.X..
030 : 99 A5 8A 2C 5B 33 5E 27 BF 56 74 CD 12 B3 7C 83   ...,[3^'.Vt...|.
040 : B1 E3 8D BF A5 4E 10 EC 1C A2 DE 8C 0E BD FE 79   .....N.........y
050 : 63 15 3D 63 F5 0E A8 FD 59 57 0F AC 89 A6 F0 FA   c.=c....YW......
060 : 87 51 03 99 67 05 D4 6C 9A 3E E3 78 3E 3A 68 72   .Q..g..l.>.x>:hr
070 : EA 1A 44 3B 00 8A 91 59 CB 9F 15 E4 A5 A6 63 10   ..D;...Y......c.
080 : 41 5F A0 25 A6 46 01 36 25 23 C4 F4 6B E9 5D C1   A_.%.F.6%#..k.].
090 : 84 BC 68 8D AD 4E C1 6B 8E B8 34 AE F0 41 99 13   ..h..N.k..4..A..
0a0 : 6A B7 0F B8 AE 3E 3B A9 C7 22 E1 21 A1 3D A7 4F   j....>;..".!.=.O
0b0 : 5C 17 06 72 41 95 0C B7 53 AF 05 FA 7F C4 8A AF   \..rA...S......
0c0 : 7D 6F 3A 5F 4B 09 DA F0 53 58 A9 C4 F7 0A E2 9B   }o:_K...SX......
0d0 : 14 9C BD 5B 47 02 3C 04 01 07 50 24 80 46 1D 10   ...[G.<...P$.F..
0e0 : 21 B4 BE C4 7E A5 15 58 F8 FC 92 E2 65 FB 3C C9   !...~..X....e.<.
0f0 : 7A 62 A1 C7 9F FC 45 37 19 68 5C A1 FF 23 FE 23   zb....E7.h\..#.#
100 : 3B EE 1D 69 3C B6 45 9B 1A BF CF 4C DC 71 55 29   ;..i<.E....L.qU)
110 : 29 9D 9D 3A BC 72 15 0B DD 01 E0 5B 59 A3 72 63   )..:.r.....[Y.rc
120 : DE E8 93 BA 1D 27 AD 5B 58 FD 68 80 FB D2 AE 29   .....'.[X.h....)
130 : 69 75 52 2F AF 2D DA 33 FD 59 4F 56 2A 92 F3 9B   iuR/.-.3.YOV*...
140 : E9 6A 23 F4 02 F8 A8 07 FB EC 5C E7 3B EC 6E 3B   .j#.......\.;.n;
150 : 1C A7 E7 AD 4F 84 3A 7E 8C 45 EB 60 1D EB E4 8D   ....O.:~.E.`....
160 : A3 BD BA 6D 57 AB C7 13 9E 7A 45 D6 FB 5A 2E 0C   ...mW....zE..Z..
170 : 5C 2B F8 D1 28 FA 5C E8 1D 5F C7 C5 F7 AA 87 94   \+..(.\.._......
180 : 77 32 A6 35 38 B5 B4 64 E4 5B 65 3C 16 19 65 AD   w2.58..d.[e<..e.
190 : FE 62 3F 1E CD CC C7 93 E8 4A C9 B0 A7 48 5F E0   .b?......J...H_.
1a0 : CA 43 9C 75 59 5E 8C A2 EF 46 AF BC 8C E4 85 09   .C.uY^...F......
1b0 : 61 FB 4C 76 38 F1 5A 93 33 DC AF E0 AB 7D 53 81   a.Lv8.Z.3....}S.
1c0 : D0 D4 62 51 C5 D9 7E 15 DD 2A B0 FC 3D 91 E1 33   ..bQ..~..*..=..3
1d0 : 09 CD C2 F4 99 FC 82 8A 88 AE 26 63 30 42 A3 4F   ..........&c0B.O
1e0 : B4 D0 B4 65 82 20 33 54 93 88 76 53 49 2C DF 69   ...e. 3T..vSI,.i
1f0 : D6 18 70 C2 C0 4C F0 C9 70 A7 A3 70 8D 86 EE AB   ..p..L..p..p....
200 : F7 59 D3 AA 99 B1 D4 59 C3 06 A6 D3 8A D5 F8 32   .Y.....Y.......2
210 : 00 1B 6A 3C AF 21 74 B3 5B EC 40 EA 52 7C 30 91   ..j<.!t.[. at ...1021...|0.
220 : 31 66 52 4C 63 21 CC C7 18 8F CD BF 84 20 24 3E   1fRLc!....... $>
230 : DA AD 90 9A 35 E7 AD 45 2B 37 26 AB 14 6B 1F 90   ....5..E+7&..k..
240 : 83 CE 48 CD DA 2B 11 A5 99 0C 8C AB C0 1C AC 99   ..H..+..........
250 : 58 99 E2 31 24 C8 B6 D2 FB C9 4A A5 9A B5 C1 D0   X..1$.....J.....
260 : 94 19 D6 00 E8 52 81 E9 56 B4 45 B0 FC 43 B2 01   .....R..V.E..C..
270 : 9E D1 9A 81 EE D1 EE 6B 1C 27 C9 9A FD E5 41 63   .......k.'....Ac
280 : 7D C5 62 AB 5B EE 09 46 48 FF 0B 24 B0 CC D0 B8   }.b.[..FH..$....
290 : FC C9 12 3F C2 F0 37 0B A0 F4 45 3A BB C5 70 DB   ...?..7...E:..p.
2a0 : 6D 9A AB F0 35 DF 46 3A 23 6A CB 76 28 D2 5A 2A   m...5.F:#j.v(.Z*
2b0 : 56 24 4F F4 D9 F4 25 26 92 7D C3 B4 21 2D 2D DC   V$O...%&.}..!--.
2c0 : ED 05 C7 F5 65 75 40 CA D9 FA 70 89 7C 46 D1 2C   ....eu at ...3205...|F.,
2d0 : 62 93 7D A0 E3 B1 C9 06 18 BD 3C 3E 7C BD 44 41   b.}.......<>|.DA
2e0 : F2 6C 11 E1 17 A5 6C 31 13 51 D6 38 7F 03 A4 1E   .l....l1.Q.8...
2f0 : 28 27 27 F1 0C A7 E5 62 B3 BB EC FA E8 05 B8 0B   (''....b........
300 : 9D C6 5A 9C 99 B2 A0 8C 71 E9 D7 DE 1D 7D 5A B4   ..Z.....q....}Z.
310 : F0 4C FD DA 5D 76 23 85 76 F0 83 FF 06 EC FE D4   .L..]v#.v.......
320 : 94 A3 20 37 E3 06 91 5E 16 C2 E1 45 B5 19 0C 76   .. 7...^...E...v
330 : B1 C8 E2 17 37 F3 3D F2 D9 30 7C 22 05 C2 D1 B1   ....7.=..0|"....
340 : 35 74 52 9D 4D 6E 34 C9 9D 7C A2 B4 9A 19 EF 7F   5tR.Mn4..|.....
350 : B5 7E 33 E3 92 5F EB 7D 5E 7D AD 3F AF DD A1 E3   .~3.._.}^}.?....
360 : C0 B8 51 0A 39 BC 71 AB 94 43 4B 02 61 89 0D DB   ..Q.9.q..CK.a...
370 : 5C 15 EC F7 92 F7 AA F4 90 6D FB C4 D6 EC 38 48   \........m....8H
380 : AC A5 35 E6 C8 21 64 73 62 5D D5 E3 D4 CC 98 FF   ..5..!dsb]......
390 : 3D 55 28 20 1F A2 0F 67 93 F2 19 CF CA 8B CF F4   =U( ...g........
3a0 : 18 02 C0 52 AC E7 23 A8 C0 0B 1A 70 8B 50 37 EB   ...R..#....p.P7.
3b0 : 89 7C E6 CA 40 02 DD F5 14 1F 1C AB ED FE FE 54   .|.. at ...3206...
3c0 : 52 7E AB F5 A6 03 2D 10 7B FE 46 8F B3 1E D3 C4   R~....-.{.F.....
3d0 : 76 E7 5D D4 EB B5 F1 DC 79 86 8F EF B2 AC 28 23   v.].....y.....(#
3e0 : 81 F8 47 8F EA A9 90 00 79 11 C3 56 52 A1 E1 76   ..G.....y..VR..v
3f0 : 93 A5 30 89 4D 35 D6 AF C9 8D 5F 34 EA 4F 17 93   ..0.M5...._4.O..
400 : 86 8C BD C6 5F CE 31 70 94 EE 94 F1 E3 BA C4 5F   ...._.1p......._
410 : 45 18 4F 4A CA BA 45 0A 36 DB 61 AA 60 F4 54 1B   E.OJ..E.6.a.`.T.
420 : 6B C0 6B 58 7B 3E E2 44 CA E2 A8 88 52 C6 01 D3   k.kX{>.D....R...
430 : 77 FC AA C5 06 92 4D 75 B9 38 61 FC 23 22 C9 F4   w.....Mu.8a.#"..
440 : DA 6D E9 BF 1F DC 5E 87 8D E0 1D 1F 86 E7 1E 2D   .m....^........-
450 : 47 E2 78 7C D7 1B DE 94 DC 56 BE F4 EE 66 BD 40   G.x|.....V...f.@
460 : 9F 61 76 AD 3A 72 0E 93 0A 48 D9 69 27 62 48 44   .av.:r...H.i'bHD
470 : CD DC 50 AF FE 59 59 EA C4 E7 D4 D0 3F 56 23 07   ..P..YY.....?V#.
480 : 99 02 98 92 4E 9A BD A2 FB 89 1C 7F 8E E4 33 09   ....N........3.
490 : AF A6 18 52 61 13 3E F4 C3 C1 45 59 CA 37 4C 26   ...Ra.>...EY.7L&
4a0 : 81 8B C4 5E 56 67 65 F7 E8 A9 47 07 E9 9A DE 35   ...^Vge...G....5
4b0 : 9F 2B DF 34 71 28 13 F3 B8 68 3B 61 88 10 1D D4   .+.4q(...h;a....
4c0 : 74 60 51 65 28 88 8E 44 9A 9A D7 8D AF 45 B2 A4   t`Qe(..D.....E..
4d0 : 9F 36 18 9F 68 0D 8C E2 78 9E 8F 38 FA 74 B6 D4   .6..h...x..8.t..
4e0 : 06 21 2E 01 D6 57 27 EB 2E 61 91 62 12 D5 D2 27   .!...W'..a.b...'
4f0 : 1B D1 6E F7 52 1E 0F 8C 7B 76 FE 0C 2C 9C DF 67   ..n.R...{v..,..g
500 : B8 15 18 48 CC E4 3D C8 69 1A EE EC BE 8C 73 ED   ...H..=.i.....s.
510 : 97 07 D6 BC 6D 8A 7D DC 90 17 59 65 F3 73 FC 89   ....m.}...Ye.s..
520 : 08 81 32 93 25 0E 5C 8C CE EC EC BB BC 58 3B BA   ..2.%.\......X;.
530 : B1 2A 8E E1 47 55 AE 3F 07 D6 64 DE 92 61 1F E2   .*..GU.?..d..a..
540 : 29 A9 47 C0 ED 72 E7 C5 06 43 EC 43 2E F4 8D F4   ).G..r...C.C....
550 : 24 88 4B 10 E5 E6 EF D5 58 C9 0E 71 9A D0 EB 97   $.K.....X..q....
560 : 01 04 75 DE                                       ..u.

Surely we can either can this rule or improve it so that it's more accurate?

At a minimum it should be:
alert tcp $EXTERNAL_NET any -> $HOME_NET 5031 (msg:"BACKDOOR NetMetro File 
List"; flow:to_server,established; content:"--"; reference:arachnids,79; 
classtype:misc-activity; sid:159; rev:6;

If not:
alert tcp $EXTERNAL_NET 5031 -> $HOME_NET any (msg:"BACKDOOR NetMetro File 
List"; flow:to_server,established; content:"--"; reference:arachnids,79; 
classtype:misc-activity; sid:159; rev:6;

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list