[Snort-users] BO in snmpXdmid (Solaris)

jh jh at ...1121...
Tue Apr 3 00:21:25 EDT 2001


holger.bumke at ...1216... wrote:
> 
> As I'm not deep enough in the snmp-stuff, I 'd like to know if anyone in
> this group has already made a rule for snort or has some input on this
> thing, so that we can develop the rule together.


We've recently seen the nasty side of this exploit where I work. Our IDS
has captured bits of what is sent which could likely be used as a
signature:


45 00 05 dc b1 c5 40 00 30 06 ab d1 d2 9d 01 d7 xx xx xx xx
E..... at ...1723...
02 df 80 06 9f 48 19 8c 3b 3f dc d2 80 18 7d 78 29 7a 00 00
.....H..;?....}x)z..
01 01 08 0a b3 c5 92 be 18 62 d9 d5 00 00 0f 9c 35 cc 89 69
.........b......5..i
00 00 00 00 00 00 00 02 00 01 87 99 00 00 00 01 00 00 01 01
....................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
....................
00 00 00 18 00 00 00 01 00 00 04 f0 ff ff ff fe ff ff ff a0
....................
ff ff ff b5 ff ff ff e4 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
....................
00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 80 00 00 00 1c
....................
00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40
... at ...1724...@
00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11
............... at ...1322...
ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80
........... at ...966...
00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c
....... at ...1725...
00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40
... at ...1724...@
00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11
............... at ...1322...
ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80
........... at ...966...
00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c
....... at ...1725...
00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40
... at ...1724...@
00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11
............... at ...1322...
ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80
........... at ...966...
00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c
....... at ...1725...
00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40
... at ...1724...@
00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11
............... at ...1322...
ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80
........... at ...966...
00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c
....... at ...1725...
00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40
... at ...1724...@
00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11
............... at ...1322...
ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80
........... at ...966...
00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c
....... at ...1725...
00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40
... at ...1724...@
00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11
............... at ...1322...
ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80
........... at ...966...
00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c
....... at ...1725...
00 00 00 40 00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40
... at ...1724...@
00 00 00 11 ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11
............... at ...1322...
ff ff ff 80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff 80
........... at ...979...
45 00 05 dc b1 c5 40 00 30 06 ab d1 d2 9d 01 d7 d1 71 41 9f
E..... at ...1723...
02 df 80 06 9f 48 19 8c 3b 3f dc d2 80 18 7d 78 29 7a 00 00
.....H..;?....}x)z..
                         

[repeats, ad naseum]. I haven't seen anything much other than this,
i.e.; no /bin/ksh or whatever.

This repetition looks alot like a buncha NOOPs. Infact, the Solaris noop
is 80 1c 40 11. What's above there looks just like that with some NULLs
thrown in the mix. Tossing together a rule like:

|80 00 00 00 1c 00 00 00 40 00 00 00 11 ff ff ff [a couple more
repeats]| 

should catch this. Also, there's what Brian Caswell has posted to the
snort-sigs too.

/jh




More information about the Snort-users mailing list