[Snort-sigs] False Positive on "MYSQL client authentication bypass attempt" (1:3668)

rmkml rmkml at ...324...
Mon Feb 26 15:29:56 EST 2007


Hi Brian,
first, bugtraq id not equal, maybe change to 10654,
and on the this bid, found two eploit.
second, perl exploit use "\x00\x14\x00\x00\x00\x00..."
maybe change on this rules for reduce false positive :
  alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL client authentication bypass attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00 00|"; offset:9; reference:bugtraq,10654; reference:www.nextgenss.com/advisories/mysql-authbypass.txt; reference:cve,2004-0627; classtype:misc-attack; sid:3668; rev:2;)
Regards
Rmkml


On Mon, 26 Feb 2007, Brian Epstein wrote:

> Date: Mon, 26 Feb 2007 14:42:58 -0500 (EST)
> From: Brian Epstein <snort at ...3290...>
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] False Positive on
>     "MYSQL client authentication bypass attempt" (1:3668)
> 
> Here is a false positive that I've been doing some research on.  We
> received a few of these that I was able to correlate to legitimate
> usage.
>
> Rule: MYSQL client authentication bypass attempt
> --
> Sid: 1:3668
> --
> False Positives:
> Each authentication encrypts the password using a unique salt given in
> the first connection packet. The resulting password is 20 bytes uniquely
> encrypted in the authentication packet.
>
> Periodically, this encrypted password appears to begin with 00 (NUL). I
> believe that this is truly based on the random behavior of the salt.
> When this happens, rule 3668 finds the pattern | 00 14 00 |.
>
> Example that doesn't match the rule:
>
> 00 15 2b 12 91 40 00 11  43 db 87 b9 08 00 45 08  ..+.. at ...202...  C.....E.
> 00 76 a3 97 40 00 40 06  b3 58 01 02 03 04 05 06  .v.. at ...180...@.  .X123456
> 07 08 91 b5 0c ea e3 77  fd 02 7e 81 71 40 80 18  78.....w  ..~.q at ...202...
> 05 b4 42 a5 00 00 01 01  08 0a bc 69 5e 92 56 95  ..B.....  ...i^.V.
> b8 ef 3e 00 00 01 85 a2  00 00 00 00 00 40 08 00  ..>.....  ..... at ...202...
> 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........  ........
> 00 00 00 00 00 00 73 6f  6d 65 75 73 65 72 00 14  ......so  meuser..
> 95 6d a3 f7 43 32 45 c4  3c 68 71 07 a1 f7 68 ce  .m..S...  <hq...h.
> 26 20 ac f4                                       & ..
>
> Example that does match the rule:
>
> 00 15 2b 12 91 40 00 11  43 db 87 b9 08 00 45 08  ..+.. at ...202...  C.....E.
> 00 76 54 ba 40 00 40 06  02 36 c0 6c 6a e4 ac 10  .vT. at ...180...@.  .6.lj...
> 0c 29 b9 71 0c ea 52 8b  fa 31 ec b1 85 40 80 18  .).q..R.  .1... at ...202...
> 05 b4 9b 74 00 00 01 01  08 0a b0 26 ae 86 4a 52  ...t....  ...&..JR
> a8 46 3e 00 00 01 85 a2  00 00 00 00 00 40 08 00  .F>.....  ..... at ...202...
> 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........  ........
> 00 00 00 00 00 00 73 6f  6d 65 75 73 65 72 00 14  ......so  meuser..
> 00 9a cc 39 ed ee ae b9  ea ee dd 2b 9b a0 23 d4  ...9....  ......#.
> 40 3d f1 86                                      @=..
>
> Both of these have been correlated with normal and expected database
> queries.
>
> --
> Additional References:
> http://www.redferni.uklinux.net/mysql/MySQL-Protocol.html
>
> Thanks,
> Brian
>
> -- 
> Brian Epstein <snort at ...3290...>
> Key fingerprint = F9C8 A715 933E 6A64 C220  482B 02CF B6C8 DB7F 41B4
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list