[Snort-users] Exploits not being reported

Arvind Clemente arvind at ...4127...
Fri Nov 30 04:14:05 EST 2001

Hi All,
    I have snort box up and running and is logging evrything to mysql
database, It can detect portscans in NMAP, Nimda virusus etc. But it
could not detect wu-ftpd exploit and rpc-statd exploit . Also it did not
detect portscans done with LANGuard network scanner running on NT.
Following is the details.

I have my snort box running on a hub and have created 3 nodes in the
network to expirement with the same. two  nodes are having Redhat 6.2,
and one node is on windows NT.  I have loaded LANGuard Network scanner
on my NT machine and when ever  i scan the ports on the other two linux
machines it does not report. My first step to diagnose this problem was
to port scan my snort box itself , with this also it did not report. My
next step i used NMAP for portscanning and it reported. Therfore config
within snort is proper (i presume)

I have with me the rpc-statd exploit and the wu-ftpd exploit where both
gives root access to the machine. when ever i try to run this exploit
snort box detects it as
ATTACK RESPONSES id check returned root
if you analyse the payload it says

length = 52

       000 : 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D
uid=0(root) gid=
       010 : 30 28 72 6F 6F 74 29 20 65 67 69 64 3D 35 30 28   0(root)
       020 : 66 74 70 29 20 67 72 6F 75 70 73 3D 35 30 28 66   ftp)
       030 : 74 70 29

that means snort will report this error whenever it sees the above. To
confirm i telneted to the redhat machine got access as root and ran id
at the prompt.,and sure enough it detected it.

Can anybody throw some light on this. As to why it could not detect this
alert. Do i need to add arule to the rule file etc......This attack was
targeted on my linux box and the black-hat planted TORnkit, but luckly i
detected it (without snort---cause it wouldnot allow me to log in with
my id) and disconnected this m/c of the net. Now i want to use snort as
my IDS.

I am running snort-1.8.2 and latest snortrules

Thanks in Advance


Arvind Clemente

More information about the Snort-users mailing list