[Snort-sigs] False negatives on "ATTACK-RESPONSES id check returned userid"

Cees celzinga at ...2420...
Mon Apr 16 06:40:27 EDT 2007


Some additional information:

Version of snort used: 2.6.1.2
Snort.conf configuration:
var HOME_NET [192.168.247.133/32]
var EXTERNAL_NET !$HOME_NET
[..]
Preprocessors: frag3, stream4, http_inspect

Command-line options when starting snort:
snort -u snort -r uid.pcap -l log/ -c snort.conf

Operating system used: Gentoo linux

Attached a sample PCAP file. A client (192.168.247.129) retrieves a website
from the server (192.168.247.133) with the string "uid=33(www-data)
gid=33(www-data) groups=33(www-data)".

On 4/5/07, Cees <celzinga at ...2420...> wrote:
>
> Hi list,
>
> The rule "ATTACK-RESPONSES id check returned userid" will generate false
> negatives. The complete rule is:
>
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id
> check returned userid"; content:"uid=";
> byte_test:5,<,65537,0,relative,dec,string; content:" gid="; within:15;
> byte_test:5,<,65537,0,relative,dec,string; classtype:bad-unknown; sid:1882;
> rev:12;)
>
> Same examples:
> uid=0(root) gid=0(root) groups=0(root) -> works
> uid=1001(cees) gid=1001(cees) groups=1001(cees) -> works
> uid=33(www-data) gid=33(www-data) groups=33(www-data) -> false negative
>
> The false negative is caused by the within argument. "uid=" and " gid="
> are separated by a total of 17 characters.
>
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
>     <------------->
>           15
>     <--------------->
>           17
>
> The current within setting will cause the rule to fail for every user
> where the combined length of the uid and username is greater then 9.
> Suggested solution is to increase the within setting to approx 25/30.
>
> Any thoughts?
>
> Cheers, Cees
>
> (BTW in it's default configuration this rule is currently disabled. Most
> likely because of the high probability of false positives from admins.)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070416/0b693401/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: uid.pcap
Type: application/force-download
Size: 1408 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070416/0b693401/attachment.bin>


More information about the Snort-sigs mailing list