[Snort-sigs] Snort-sigs Digest, Vol 100, Issue 8

Tarzan538 NONO sfalaptops at ...12...
Wed Sep 24 13:17:40 EDT 2014


Hi Simon,
Here is my classification file;
# $Id: classification.config,v 1.5 2013/05/28 16:19:02 jesler Exp $# The following includes information for prioritizing rules# # Each classification includes a shortname, a description, and a default# priority for that classification.## This allows alerts to be classified and prioritized.  You can specify# what priority each classification has.  Any rule can override the default# priority for that rule.## Here are a few example rules:# #   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; #	dsize: > 128; classtype:attempted-admin; priority:10;##   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \#	      content:"expn root"; nocase; classtype:attempted-recon;)## The first rule will set its type to "attempted-admin" and override # the default priority for that type to 10.## The second rule set its type to "attempted-recon" and set its# priority to the default for that type.# 
## config classification:shortname,short description,priority#
config classification: not-suspicious,Not Suspicious Traffic,3config classification: unknown,Unknown Traffic,3config classification: bad-unknown,Potentially Bad Traffic, 2config classification: attempted-recon,Attempted Information Leak,2config classification: successful-recon-limited,Information Leak,2config classification: successful-recon-largescale,Large Scale Information Leak,2config classification: attempted-dos,Attempted Denial of Service,2config classification: successful-dos,Denial of Service,2config classification: attempted-user,Attempted User Privilege Gain,1config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1config classification: successful-user,Successful User Privilege Gain,1config classification: attempted-admin,Attempted Administrator Privilege Gain,1config classification: successful-admin,Successful Administrator Privilege Gain,1

# NEW CLASSIFICATIONSconfig classification: rpc-portmap-decode,Decode of an RPC Query,2config classification: shellcode-detect,Executable Code was Detected,1config classification: string-detect,A Suspicious String was Detected,3config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2config classification: system-call-detect,A System Call was Detected,2config classification: tcp-connection,A TCP Connection was Detected,4config classification: trojan-activity,A Network Trojan was Detected, 1config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2config classification: network-scan,Detection of a Network Scan,3config classification: denial-of-service,Detection of a Denial of Service Attack,2config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2config classification: protocol-command-decode,Generic Protocol Command Decode,3config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2config classification: web-application-attack,Web Application Attack,1config classification: misc-activity,Misc activity,3config classification: misc-attack,Misc Attack,2config classification: icmp-event,Generic ICMP event,3config classification: inappropriate-content,Inappropriate Content was Detected,1config classification: policy-violation,Potential Corporate Privacy Violation,1config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2config classification: sdf,Sensitive Data was Transmitted Across the Network,2config classification: file-format,Known malicious file or file based exploit,1config classification: malware-cnc,Known malware command and control traffic,1config classification: client-side-exploit,Known client side exploit attempt,1
Here is my snort.config (Step #6).
#################################################### Step #6: Configure output plugins# For more information, see Snort Manual, Configuring Snort - Output Modules###################################################
# unified2 # Recommended for most installs# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
# Additional configuration for specific types of installs# output alert_unified2: filename snort.alert, limit 128, nostamp# output log_unified2: filename snort.log, limit 128, nostamp 
# syslog# output alert_syslog: LOG_AUTH LOG_ALERT
# pcap# output log_tcpdump: tcpdump.log
# metadata reference data.  do not modify these linesinclude C:\Snort\etc\classification.configinclude C:\Snort\etc\reference.config

Thank you,
Felix

> Message: 2
> Date: Wed, 24 Sep 2014 09:51:14 +0100
> From: "Simon Wesseldine" <simon.wesseldine at ...3930...>
> Subject: Re: [Snort-sigs] Snort Rules Issues
> To: <snort-sigs at lists.sourceforge.net>
> Message-ID: <000601cfd7d4$b37d5dd0$1a781970$@wesseldine at ...3930...>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi Felix,
> 
>  
> 
> You should have the following line, in step 6 of your snort.conf file:
> 
>  
> 
> include classification.config
> 
>  
> 
> There should be a line in your classification.config file that looks like
> this:
> 
>  
> 
> config classification: web-application-attack,Web Application Attack,1
> 
>  
> 
> You may have an outdated classifiction.config file that does not include all
> the new classifications.
> 
>  
> 
> # NEW CLASSIFICATIONS
> 
> config classification: rpc-portmap-decode,Decode of an RPC Query,2
> 
> config classification: shellcode-detect,Executable Code was Detected,1
> 
> config classification: string-detect,A Suspicious String was Detected,3
> 
> config classification: suspicious-filename-detect,A Suspicious Filename was
> Detected,2
> 
> config classification: suspicious-login,An Attempted Login Using a
> Suspicious Username was Detected,2
> 
> config classification: system-call-detect,A System Call was Detected,2
> 
> config classification: tcp-connection,A TCP Connection was Detected,4
> 
> config classification: trojan-activity,A Network Trojan was Detected, 1
> 
> config classification: unusual-client-port-connection,A Client was Using an
> Unusual Port,2
> 
> config classification: network-scan,Detection of a Network Scan,3
> 
> config classification: denial-of-service,Detection of a Denial of Service
> Attack,2
> 
> config classification: non-standard-protocol,Detection of a Non-Standard
> Protocol or Event,2
> 
> config classification: protocol-command-decode,Generic Protocol Command
> Decode,3
> 
> config classification: web-application-activity,Access to a Potentially
> Vulnerable Web Application,2
> 
> config classification: web-application-attack,Web Application Attack,1
> 
> config classification: misc-activity,Misc activity,3
> 
> config classification: misc-attack,Misc Attack,2
> 
> config classification: icmp-event,Generic ICMP event,3
> 
> config classification: inappropriate-content,Inappropriate Content was
> Detected,1
> 
> config classification: policy-violation,Potential Corporate Privacy
> Violation,1
> 
> config classification: default-login-attempt,Attempt to Login By a Default
> Username and Password,2
> 
> config classification: sdf,Sensitive Data was Transmitted Across the
> Network,2
> 
> config classification: file-format,Known malicious file or file based
> exploit,1
> 
> config classification: malware-cnc,Known malware command and control
> traffic,1
> 
> config classification: client-side-exploit,Known client side exploit
> attempt,1
> 
>  
> 
>  
> 
> I hope that helps.
> 
> Best regards,
> 
> Simon.
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 24 Sep 2014 08:37:34 -0400
> From: Joe Gedeon <joe.gedeon at ...2420...>
> Subject: [Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe
> 	Flash	exploit payload request
> To: snort-sigs at lists.sourceforge.net
> Message-ID:
> 	<CAM1A6KxG4WYMjxc-MpWX4iR-agi_uqhkqrv1QZ=iEvatybQxgA at ...2421...>
> Content-Type: text/plain; charset="utf-8"
> 
> With this new signature we are getting quite a few false positives for this
> signature.   Looking at the documentation linked in the signature it seems
> the section about not having a referrer was common in these.  Is there
> documentation that shows a recent version of the Astrum exploit kit is now
> accepting requests with referrers in the header?
> 
> "with Astrum : show a referer and you'll get ignored and IP banned.
> Firefox, Chrome and Opera are also ignored"
> 
> It seems this rule is completely missing the exploit attempt and is
> creating a high number of false positives.
> 
> A sample ascii packet that the rule is triggering on:
> 07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto
> TCP (6), length 1052)
>     192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e
> (correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012
> E...J. at ...3957...[.P...a~..GET
> /v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd.
> HTTP/1.1
> Accept: */*
> Accept-Language: en-US
> Referer:
> http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250&
> x-flash-version: 11,8,800,175
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0;)
> Host: brxserv-20.btrll.com
> Connection: Keep-Alive
> Cookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ;
> MEB=BUqRdAABPPEAOtI8AAHejA
> 
> 
> -- 
> Registered Linux User # 379282
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> 
> ------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> End of Snort-sigs Digest, Vol 100, Issue 8
> ******************************************
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140924/24df6eb1/attachment.html>


More information about the Snort-sigs mailing list