[Snort-sigs] CVE-2012-5076 and CVE-2012-1723 Rules

Joel Esler jesler at ...435...
Sun Nov 25 20:34:30 EST 2012


Thanks for bringing this up.  I'm on my phone right now and can't take a look, but we should have fired on blackhole. The rules that cover blackhole for the most part are in the exploit-kit.rules file. 

I'll take a look and see what we can do to improve any coverage we are missing, blackhole, especially v2, is a pain. 

Joel Esler
Sent from my iPhone 

On Nov 25, 2012, at 5:26 AM, Snort Troubleshooting <snort at ...3751...> wrote:

> Hello,
> Today I was testing some blackhole websites against Snort in my test lab to validate some traffic, in which Snort using the VRT rules (subscriber rules) did not alert on anything. However, the anti-virus installed on the test machine detected that there are two Java exploit files have been downloaded and happily residing in /AppData/Local/Temp. The anti-virus (MSE) reported the following:
> 1.       Exploit: Java/CVE-2012-5076.BBW - - - > KPOWd.class
> 2.       Exploit: Java/CVE-2012-1723!generic  - - - > kvjMojWwL.class
> At this point I suspected that my Snort configurations/rules may be wrong. After confirming that everything is fine, I went ahead and downloaded ET (open-source) rules and stuck them in there. Then I browsed to the blackhole website again, and Snort fired on two ET Rules, namely, sid:2015724, and sid:2015725. Unfortunately, the msg of these two alerts are not fully descriptive and there are no references included in the alerts.
> After that, I searched through my Snort rules that covers both CVE’s mentioned above, and they are included and enabled in my snort.rules (PulledPork, -I balanced). I found these two (along there state: enables, disabled):
> 1.       CVE-2012-5076:
> -          sid: 24026 (enabled)
> -          sid: 20622 (disabled)
> 2.       CVE-2012-1723:
> -          sid: 24202 (enabled)
> -          sid: 24201 (enabled)
> -          sid: 23277 (enabled)
> -          sid: 23276 (enabled)
> -          sid: 23275 (enabled)
> -          sid: 23274 (enabled)
> -          sid: 23273 (enabled)
> All of the above use $FILE_DATA_PORTS, which in my case did not include the port that the blackhole website is using. So I added the port to $FILE_DATA_PORTS and retested again, but Snort rules (VRT) did not fire, yet ET rules did. Obviously, the signatures (content, pcre, etc.) are different but I thought they still would alert as signatures can be different  yet catch the same malicious traffic.  I was not able to test against enabling the “security” policy in PulledPork, if that would enable rules to catch the said traffic.
> I got a fairly good experience running Snort, though, I’m still learning my way through writing proper rules. I will try to examine the pcaps and fiddler session data in the upcoming days and update. If anyone can shed some light through this, it would be appreciated.
> Thanks.
> YM
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20121125/0bdf1c12/attachment.html>

More information about the Snort-sigs mailing list