[Snort-sigs] CVE-2012-5076 and CVE-2012-1723 Rules

Snort Troubleshooting snort at ...3751...
Sun Nov 25 05:26:59 EST 2012



Hello,

 

Today I was testing some
blackhole websites against Snort in my test lab to validate some traffic, in which Snort using the VRT rules (subscriber rules) did not alert on
anything. However, the anti-virus installed on the test machine detected that
there are two Java exploit files have been downloaded and happily residing in /AppData/Local/Temp.
The anti-virus (MSE) reported the following:

 1.      
Exploit: Java/CVE-2012-5076.BBW - - - > KPOWd.class

2.      
Exploit: Java/CVE-2012-1723!generic 
- - - > kvjMojWwL.class

 

At this point I suspected
that my Snort configurations/rules may be wrong. After confirming that everything
is fine, I went ahead and downloaded ET (open-source) rules and stuck them in
there. Then I browsed to the blackhole website again, and Snort fired on two ET
Rules, namely, sid:2015724, and sid:2015725. Unfortunately, the msg of these two alerts
are not fully descriptive and there are no references included in the alerts.

 

After that, I searched
through my Snort rules that covers both CVE’s mentioned
above, and they are included and enabled in my snort.rules (PulledPork, -I
balanced). I found these two (along there state: enables, disabled):

 

1.      
CVE-2012-5076:

-         
sid: 24026 (enabled)

-         
sid: 20622 (disabled) 

2.      
CVE-2012-1723:

-         
sid: 24202 (enabled)

-         
sid: 24201 (enabled)

-         
sid: 23277 (enabled)

-         
sid: 23276 (enabled)

-         
sid: 23275 (enabled)

-         
sid: 23274 (enabled)

-         
sid: 23273 (enabled)

 

All of the above use
$FILE_DATA_PORTS, which in my case did not include the port that the blackhole
website is using. So I added the port to $FILE_DATA_PORTS and retested again,
but Snort rules (VRT) did not fire, yet ET rules did. Obviously, the signatures
(content, pcre, etc.) are different but I thought they still would alert as
signatures can be different  yet catch
the same malicious traffic.  I was not
able to test against enabling the “security” policy in PulledPork, if that
would enable rules to catch the said traffic.

 

I got a fairly good
experience running Snort, though, I’m still learning my way through writing
proper rules. I will try to examine the pcaps and fiddler session data in the
upcoming days and update. If anyone can shed some light through this, it would
be appreciated.

 

Thanks.

YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121125/54839210/attachment.html>


More information about the Snort-sigs mailing list