[Snort-sigs] False Positive on "MYSQL client authentication bypass attempt" (1:3668)

Brian Epstein snort at ...3290...
Mon Feb 26 14:42:58 EST 2007


Here is a false positive that I've been doing some research on.  We 
received a few of these that I was able to correlate to legitimate 
usage.

Rule: MYSQL client authentication bypass attempt
--
Sid: 1:3668
--
False Positives:
Each authentication encrypts the password using a unique salt given in 
the first connection packet. The resulting password is 20 bytes uniquely 
encrypted in the authentication packet.

Periodically, this encrypted password appears to begin with 00 (NUL). I 
believe that this is truly based on the random behavior of the salt. 
When this happens, rule 3668 finds the pattern | 00 14 00 |.

Example that doesn't match the rule:

00 15 2b 12 91 40 00 11  43 db 87 b9 08 00 45 08  ..+.. at ...202...  C.....E.
00 76 a3 97 40 00 40 06  b3 58 01 02 03 04 05 06  .v.. at ...180...@.  .X123456
07 08 91 b5 0c ea e3 77  fd 02 7e 81 71 40 80 18  78.....w  ..~.q at ...202...
05 b4 42 a5 00 00 01 01  08 0a bc 69 5e 92 56 95  ..B.....  ...i^.V.
b8 ef 3e 00 00 01 85 a2  00 00 00 00 00 40 08 00  ..>.....  ..... at ...202...
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........  ........
00 00 00 00 00 00 73 6f  6d 65 75 73 65 72 00 14  ......so  meuser..
95 6d a3 f7 43 32 45 c4  3c 68 71 07 a1 f7 68 ce  .m..S...  <hq...h.
26 20 ac f4                                       & ..

Example that does match the rule:

00 15 2b 12 91 40 00 11  43 db 87 b9 08 00 45 08  ..+.. at ...202...  C.....E.
00 76 54 ba 40 00 40 06  02 36 c0 6c 6a e4 ac 10  .vT. at ...180...@.  .6.lj...
0c 29 b9 71 0c ea 52 8b  fa 31 ec b1 85 40 80 18  .).q..R.  .1... at ...202...
05 b4 9b 74 00 00 01 01  08 0a b0 26 ae 86 4a 52  ...t....  ...&..JR
a8 46 3e 00 00 01 85 a2  00 00 00 00 00 40 08 00  .F>.....  ..... at ...202...
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........  ........
00 00 00 00 00 00 73 6f  6d 65 75 73 65 72 00 14  ......so  meuser..
00 9a cc 39 ed ee ae b9  ea ee dd 2b 9b a0 23 d4  ...9....  ......#.
40 3d f1 86                                      @=..

Both of these have been correlated with normal and expected database 
queries.

--
Additional References:
http://www.redferni.uklinux.net/mysql/MySQL-Protocol.html

Thanks,
Brian

-- 
Brian Epstein <snort at ...3290...>
Key fingerprint = F9C8 A715 933E 6A64 C220  482B 02CF B6C8 DB7F 41B4




More information about the Snort-sigs mailing list