[Snort-sigs] False negatives on "ATTACK-RESPONSES id check returned userid"

Cees celzinga at ...2420...
Thu Apr 5 09:28:41 EDT 2007


Hi list,

The rule "ATTACK-RESPONSES id check returned userid" will generate false
negatives. The complete rule is:

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check
returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,dec,string;
content:" gid="; within:15; byte_test:5,<,65537,0,relative,dec,string;
classtype:bad-unknown; sid:1882; rev:12;)

Same examples:
uid=0(root) gid=0(root) groups=0(root) -> works
uid=1001(cees) gid=1001(cees) groups=1001(cees) -> works
uid=33(www-data) gid=33(www-data) groups=33(www-data) -> false negative

The false negative is caused by the within argument. "uid=" and " gid=" are
separated by a total of 17 characters.

uid=33(www-data) gid=33(www-data) groups=33(www-data)
    <------------->
          15
    <--------------->
          17

The current within setting will cause the rule to fail for every user where
the combined length of the uid and username is greater then 9. Suggested
solution is to increase the within setting to approx 25/30.

Any thoughts?

Cheers, Cees

(BTW in it's default configuration this rule is currently disabled. Most
likely because of the high probability of false positives from admins.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070405/799015b7/attachment.html>


More information about the Snort-sigs mailing list