[Snort-users] Sig for openssl exploit

Shane Williams shanew at ...5387...
Mon Sep 16 11:04:08 EDT 2002


I've taken Brian Coyle's initial sig (which was really meant to detect
probing) and altered it to instead detect the actual attack.  The sid
is decremented to note the difference.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS https (msg:"OpenSSL worm attack"; flags:A+; content:"export TERM=xterm\; exec bash -i"; nocase;sid:9999998; classtype:web-application-attack; rev:1 ;reference:url,www.cert.org/advisories/CA-2002-27.html;)

I've tested this rule over two weeks of traffic and got one confirmed
positive, but no false positives.  I doubt there any false negatives,
since there are no other signs of an infected machine in that time,
but it's possible.

Note that there appear to be a number of unique strings in this worm
attack, so I picked one of the first that was long enough and seemed
unique enough to work.  There is, in particular, a section of the
worm where it executes its first commands, but I decided that this
would be the first section to change if a new variant appears.

In any case, here's an excerpt from a dump showing the relevant
portions of the attack.

02:51:00.544318 p3EE22483.dip.t-dialin.net.4053 > legacy.gslis.utexas.edu.https:
 P 561:605(44) ack 1147 win 7630 <nop,nop,timestamp 56619696 256333814> (DF)
0x0000   4500 0060 56ac 4000 3106 1692 3ee2 2483        E..`V. at ...6913...>.$.
0x0010   8053 f8a1 0fd5 01bb 6a10 a982 b61f 10d1        .S......j.......
0x0020   8018 1dce 8bb3 0000 0101 080a 035f f2b0        ............._..
0x0030   0f47 57f6 5445 524d 3d78 7465 726d 3b20        .GW.TERM=xterm;.
0x0040   6578 706f 7274 2054 4552 4d3d 7874 6572        export.TERM=xter
0x0050   6d3b 2065 7865 6320 6261 7368 202d 690a        m;.exec.bash.-i.
02:51:00.584318 legacy.gslis.utexas.edu.https > p3EE22483.dip.t-dialin.net.4053:
 . ack 605 win 6432 <nop,nop,timestamp 256333835 56619696> (DF)
0x0000   4500 0034 5bdf 4000 4006 028b 8053 f8a1        E..4[. at ...843...@....S..
0x0010   3ee2 2483 01bb 0fd5 b61f 10d1 6a10 a9ae        >.$.........j...
0x0020   8010 1920 37a1 0000 0101 080a 0f47 580b        ....7........GX.
0x0030   035f f2b0                                      ._..
02:51:00.614318 legacy.gslis.utexas.edu.https > p3EE22483.dip.t-dialin.net.4053:
 P 1147:1182(35) ack 605 win 6432 <nop,nop,timestamp 256333837 56619696> (DF)
0x0000   4500 0057 5be0 4000 4006 0267 8053 f8a1        E..W[. at ...843...@..g.S..
0x0010   3ee2 2483 01bb 0fd5 b61f 10d1 6a10 a9ae        >.$.........j...
0x0020   8018 1920 49f3 0000 0101 080a 0f47 580d        ....I........GX.
0x0030   035f f2b0 6261 7368 3a20 6e6f 206a 6f62        ._..bash:.no.job
0x0040   2063 6f6e 7472 6f6c 2069 6e20 7468 6973        .control.in.this
0x0050   2073 6865 6c6c 0a                              .shell.
02:51:00.794318 p3EE22483.dip.t-dialin.net.4053 > legacy.gslis.utexas.edu.https:
 P 605:1457(852) ack 1147 win 7630 <nop,nop,timestamp 56619716 256333835> (DF)
0x0000   4500 0388 56ad 4000 3106 1369 3ee2 2483        E...V. at ...6914...>.$.
0x0010   8053 f8a1 0fd5 01bb 6a10 a9ae b61f 10d1        .S......j.......
0x0020   8018 1dce 0945 0000 0101 080a 035f f2c4        .....E......._..
0x0030   0f47 580b 726d 202d 7266 202f 746d 702f        .GX.rm.-rf./tmp/
0x0040   2e62 7567 7472 6171 2e63 3b63 6174 203e        .bugtraq.c;cat.>
0x0050   202f 746d 702f 2e75 7562 7567 7472 6171        ./tmp/.uubugtraq
0x0060   203c 3c20 5f5f 656f 665f 5f3b 0a62 6567        .<<.__eof__;.beg
0x0070   696e 2036 3535 202e 6275 6774 7261 712e        in.655..bugtraq.
0x0080   630a 4d2b 5248 4a2a 4248 4a2a 4248 4a2a        c.M+RHJ*BHJ*BHJ*
0x0090   4248 4a2a 4248 4a2a 4248 4a2a 4248 4a2a        BHJ*BHJ*BHJ*BHJ*
0x00a0   4248 4a2a 4248 4a2a 4248 4a2a 4248 4a2a        BHJ*BHJ*BHJ*BHJ*
0x00b0   4248 4a2a 4248 4a2a 4248 4a2a 4248 4a0a        BHJ*BHJ*BHJ*BHJ.
0x00c0   4d2a 4248 4a2a 4248 4a2a 4248 4a2a 4248        M*BHJ*BHJ*BHJ*BH
0x00d0   4a2a 4248 4a2a 4248 4a2a 4248 4a2a 4248        J*BHJ*BHJ*BHJ*BH
0x00e0   4a2a 4248 4a2a 4248 4a2a 4248 2d22 425c        J*BHJ*BHJ*BH-"B\
0x00f0   604a 2822 5c60 4028 225c 6040 2822 5c60        `J("\`@("\`@("\`
0x0100   400a 4d28 225c 6040 2822 5c60 4028 225c        @.M("\`@("\`@("\
0x0110   6040 2822 5c60 4028 225c 6040 2822 5c60        `@("\`@("\`@("\`
0x0120   4028 225c 6040 2822 5c60 4028 225c 6040        @("\`@("\`@("\`@
0x0130   2822 5c60 4028 225c 6040 2822 5c60 4028        ("\`@("\`@("\`@(
0x0140   225c 6040 2822 5c60 4028 225c 6040 0a4d        "\`@("\`@("\`@.M
0x0150   2822 5c60 4028 225c 6040 2822 5c60 4028        ("\`@("\`@("\`@(


-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |                               
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...5387...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew






More information about the Snort-users mailing list