[Snort-sigs] Crusoe Researches offer new rule for detecting VMware auth overflow attempt!

Matt Olney molney at ...435...
Tue Jan 6 15:56:17 EST 2009


rmkml,

I wanted to let you know about an evasion issue with the rule you
provide for the VMWare USER overflow.  You use the "dsize" keyword,
which ignores reassembled packets.  "dsize" is specifically for packet
sizes for protocol stack issues, so reassembled packets are not
checked.  If you need to check the size of data generically, isdataat
is the appropriate keyword.  An attacker could use tcp segmentation to
bypass your rule.

I would suggest you use isdataat: 100 (Or, perhaps, 105, to account
for the "USER "). at the begining of the rule, in the place of dsize
statement.

Matt

On Sun, Jan 4, 2009 at 12:34 PM, rmkml <rmkml at ...324...> wrote:
> Hi,
>
> Crusoe Researches offering a new rule for detecting VMware auth overflow attempt:
> http://www.Crusoe-Researches.com/en/vmwareauthoverflow.txt
> remember to adjust the EXTERNAL_NET/HOME_NET variable!
>
> Credits:
> Crusoe Researches
> http://www.Crusoe-Researches.com
> contact at ...3281...
> => Crusoe Researches have more than 3735 UNIQ 'snort' rules for Commercial Access
>            (Contact me directly if you are interested)
>
> Crusoe Researches support Bro idps v1.4.6 project format rules
> (http://www.bro-ids.org/):
> signature sid-93735 {
>  ip-proto == tcp
>  dst-port == 912
>  event "MISC VMware authd USER overflow attempt"
>  tcp-state established,originator
>  payload /.*USER [^\n]{100}/
>  }
>
> Happy New Year
> Regards
> Rmkml
> Crusoe-Researches.com
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list