[Snort-sigs] SID 4638

rmkml rmkml at ...324...
Fri Jun 1 16:19:27 EDT 2007


and do you have false alert if you add ip_proto:46; on this rules ?
Regards
Rmkml


On Fri, 1 Jun 2007, rmkml wrote:

> Date: Fri, 1 Jun 2007 22:06:24 +0200 (CEST)
> From: rmkml <rmkml at ...324...>
> To: Paul Schmehl <pauls at ...1311...>, trains at ...2395...
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] SID 4638
> 
> Hi,
> maybe exploit on this link ? :
> http://www.securityfocus.com/archive/1/396930
>
> Credits:
> Crusoe Researches
> http://www.Crusoe-Researches.com
> contact at ...3281...
> => Crusoe Researches have more than 1985 UNIQ 'snort' rules for Commercial Access
>     (Contact me directly if you are interested)
>
> Azwalaro French new nidps open source project
> http://www.Crusoe-Researches.com/azwalaro/
> azwalaro at ...3281...
>
> Rmkml
>
>
> On Fri, 1 Jun 2007, Paul Schmehl wrote:
>
>> Date: Fri, 01 Jun 2007 15:01:35 -0500
>> From: Paul Schmehl <pauls at ...1311...>
>> To: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] SID 4638
>>
>> --On Friday, June 01, 2007 14:36:45 -0500 trains <trains at ...2395...>
>> wrote:
>>
>>> Quoting Paul Schmehl <pauls at ...1311...>:
>>>
>>>> I'm trying to figure out what the exploit is for this rule, and the
>>>> FrSIRT "explanation" is a bit of a headscratcher.
>>>>
>>>> Here's the rule:
>>>>
>>>> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
>>>> zero length object DoS attempt"; content:"|01|"; depth:1; offset:11;
>>>> byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
>>>> reference:url,www.frsirt.com/english/advisories/2005/0411;
>>>> classtype:attempted-dos; sid:4638; rev:3; )
>>>
>>> It seems to me that to exploit this flaw, the victim would have to be
>>> running tcpdump on a router that is running RSVP or possibly sniffing
>>> the traffic between two routers running RSVP.
>>>
>>> Then by engineering some special RSVP traffic out one router interface
>>> the aggressor could crash tcpdump on the other router or on the
>>> network monitoring device.
>>>
>>> It does seem like a bit of a stretch for a small payoff (crash the
>>> tcpdump process).  I suspect if I own one of your routers, you have a
>>> way bigger problem than if I decide to crash your network monitor.
>>>
>>> I would be included to call it a bad rule.  Can you post the packet
>>> traces that are causing it to fire off?
>>>
>> Here you go.  I wouldn't call it a "bad" rule.  Not very useful might be a
>> more accurate description.  I can see how it could be used in a directed
>> attack to try and hide traffic, but that's about it.
>>
>> F1 1D 05 00 00 EA B5 FE 27 00 14 01 00 00 17 4F
>> E8 AA FD 3C A1 C5 64 8F 10 C4 F5 08 07 80 A3 2B
>> 49 AD B4 71 ED FC FD 67 4B B0 ED 7D 40 73 31 BD
>> 77 9F 6E 00 68 4D 00 71 45 F0 1D BE 0C 9A 6C E3
>> D0 43 88 75 FB 11 22 5C 57 89 71 88 45 7F 76 AE
>> B0 C1 CE 69 B8 F6 5F BA CB BE FA 09 21 F8 FD 15
>> D8 DB E2 CB 6A B4 7F 6B A9 4C 40 B1 6D 03 64 03
>> 7D BF 26 D3 A8 6B ED C9 FB 63 1A C1 D2 1C 5B A7
>> 98 FD CA 3E D6 B3 44 44 06 04 48 3C 02 2D 9A 5A
>> DF 8D C8 FB 3E 40 6D D4 73 3F DB 82 13 B8 61 E4
>> 8C 24 26 BC 11 57 00 42 2E A7 88 0E E5 68 11 61
>> A8 0D 31 D0 A1 9A D0 96 00 38 42 A8 1F 1D 0C 6F
>> C5 D1 2B DB 53 3C 28 05 E0 BE 95 91 7E 9E 7B 80
>> 16 09 3B 42 71 1D 3C 9C 58 57 D0 82 D2 C3 7B EA
>> D3 56 5C E4 38 E4 BF AA 66 FD 8E DC C6 29 37 20
>> 81 F1 4F C6 0B 58 EE 79 7A B6 D3 09 23 C0 61 EE
>> 25 1C 8E 9A CA 15 5F E1 3D EF DA 73 06 AA 8C 35
>> 87 08 9E BF 43 5B EE 87 54 E0 D8 53 2B 0A 74 ED
>> 14 7D 22 44 F9 03 BD 40 1E 8E 41 8B E2 62 80 8F
>> D3 49 D4 D1 96 E8 4A CB 1B 51 72 9D 2A C8 AB CC
>> 86 77 77 77 6D A8 C0 BD 31 3A CA 0A 4C 53 06 EF
>> 5E 3F DC 8D 03 44 1F 3A 77 82 74 D5 30 D9 34 DE
>> A4 A0 60 1D 68 85 D0 E1 75 75 02 21 BA 65 35 98
>> 0B 3D 05 51 AF 33 2C 57 13 E7 A7 8C 90 4C 54 A6
>> 09 92 74 E2 11 C0 63 01 65 62 85 9F 39 AE 29 07
>> 22 57 4C A0 85 E3 7F 29 DB 8D 00 17 C3 D0 0A D3
>> 60 19 0C B9 52 B5 DF 6E 5E 5F C2 1A 00 73 FE 65
>> 44 B2 49 8E 7F C6 4B D0 82 55 38 07 0B B6 3C 29
>> B9 08 94 9E 19 EE 05 8E 4B 70 64 06 D9 6B 36 81
>> 07 4C C1 87 96 3A EA 85 70 BA 9D 57 D3 BF 70 CA
>> CB EA BA 29 80 DF 91 C5 E7 E3 1A 81 0C 41 B6 BC
>> 74 98 9E 54 9F 9F 52 01 56 98 8C B1 62 A6 97 B9
>> 43 0D 86 75 55 DA F6 BD 12 B6 5F BD 48 3F 6A 3D
>> 1D 6B FA 96 BD 35 69 FF C5 20 5B F0 AA 4B 8B 05
>> 4F F5 10 06 E4 1A E1 B1 D2 E9 10 49 8F EB AC 5C
>> BB E9 37 C6 41 F5 43 E8 B7 6A D6 F9 B6 6F 54 B8
>> 25 61 7C E6 12 E0 0F 9F 2A 5E 51 D4 DE 69 05 1A
>> 0C 66 B1 8B 8E 3C 0B EE 7E 48 84 76 32 0F 47 85
>> 65 97 0C 1A A9 4A F0 25 09 D5 1E 4A EA DB 23 94
>> 8D 73 BB AB 09 14 DA F2 0B 1D 38 29 A8 2F 99 D9
>> B8 4C C4 81 12 27 CF FB 7D 4E 43 48 89 70 D2 57
>> D6 23 68 98 0D 6C 3F E3 7D 1A 52 75 B3 7B 47 B6
>> 62 F3 E3 34 C8 B9 D4 D9 4A 2B 07 4A 48 88 E2 FB
>> 2E 55 86 11 77 77 CC 61 0D 40 E3 B8 1F 2F 6A DB
>> 3E F6 75 75 44 92 5E E8 50 4D D3 B6 A3 17 8C 20
>> 01 35 A6 3B D2 23 A2 7F 0B 30 4E 29 9F 75 EE 12
>> BA D7 19 86 6B 55 D0 C2 FF 39 5A 7D 94 8D 8E 81
>> 6F 4D CC 5A 78 B0 B2 19 02 95 A4 77 53 9B D7 1B
>> 39 06 71 55 F5 02 43 7E EC 33 D8 D4 B6 29 96 78
>> E8 9B A4 3B 90 B8 51 EC D3 2C D0 B0 11 77 FB A5
>> 53 CF 07 38 BF 7D D9 4E B1 9E 1C 5F 30 59 E7 D6
>> 86 17 A4 AF E4 A1 38 D5 CF A0 2F 1F E9 E3 4B 3E
>> 65 3B D1 64 02 93 7A 65 A6 0E 72 C6 4B BE 77 D1
>> F0 46 77 8F A9 CF BD 96 5C 18 1E 9D F6 F9 05 C8
>> DA F6 82 94 61 18 18 9D 13 9F 33 CC A5 04 CA 32
>> A1 4B 86 72 7C 6E 8B 45 E2 11 8E 58 3E 00 5C C7
>> 22 08 33 96 74 BB E8 60 26 7E 15 6F 9B E3 50 2D
>> 00 0B E7 D9 6A EC 14 B1 DE 90 91 7E 67 42 49 3A
>> 24 B9 DF B5 75 B4 AB 00 D4 81 B9 83 CC 17 DA 36
>> 4F 9C DA 17 5A A2 6A 9E 89 D1 08 35 AB D7 73 5D
>> FA 64 7E 06 86 8F F1 D9 2F 77 CB 32 76 03 3F 0D
>> A0 16 E2 12 B4 C7 A8 09 16 BE 12 D9 A6 53 BB B6
>> 30 3F C8 9E 40 BB FA 64 D5 22 1E D1 73 48 FE 6E
>> 76 24 9E 01 D9 57 47 5D 55 46 3A 8A 19 48 E8 09
>> F8 C6 F1 60 40 15 1F 89 1C 30 B2 EC 9E 14 7B F5
>> B4 80 7F 9B 76 29 AA E2 9C D6 BE 7D 8E B7 54 0D
>> F7 C8 1A FF 5F A9 3A 98 84 18 1B CB 30 38 E5 DF
>> 22 D2 F1 9D F8 F0 BE 80 81 0E 1F B4 A1 D4 4C 72
>> BE A9 B8 02 8B 4B CE B8 56 D1 9C A2 70 9C ED CF
>> 14 5D E0 24 BF D5 49 99 D0 C2 94 A1 70 FE 52 CF
>> 40 6A 0F 5D BF 55 96 5B 9B CA AC 05 1D 6B 02 0B
>> 5D 1C 06 10 A8 91 1C 86 D6 0B 36 FE 8A 94 7E C9
>> 43 3F 5E 1D DF A3 AC 0F 11 26 9A 56 59 52 4F C2
>> 81 21 DF 35 38 B8 46 1D 45 52 85 74 EB 58 E3 54
>> DC 86 2D F9 63 41 FD 18 EB 83 79 47 3A B9 6F A9
>> 8A 30 EA 7B 27 89 04 04 BD F0 E0 07 91 85 A6 9D
>> 6D 2D F8 1B 0D DB E5 6F 79 97 D2 F5 22 BC C5 72
>> 20 E1 B8 B9 D0 0E 8D 27 81 AF D4 74 E5 A1 9E DF
>> 08 CB CE D5 AC 65 8A 89 21 4F 10 CD BA CB 2A 71
>> F3 11 60 6E AA FE 1E 5B EA 50 44 CE DC B0 AB 9D
>> B3 52 74 91 E0 C1 E7 B8 74 6D 4D DD 2D 9C 6C 22
>> 41 CA 3A 83 FF 6D 24 CA 1B CA C3 FA 57 F3 F4 F9
>> 3E 72
>>
>> --
>> Paul Schmehl (pauls at ...1311...)
>> Senior Information Security Analyst
>> The University of Texas at Dallas
>> http://www.utdallas.edu/ir/security/
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list