[Snort-users] How to Triggering Windows Exploits?

Alan ids at ...8382...
Wed May 26 02:06:13 EDT 2004


Rob,

I have one more question on your email below-


I apologize for the redundancy... If I do not include the flow: to_server,
established part of the rule then Snort should alert me as soon it matches a
signature hitting that particular port regardless of an established
connection. Is this correct?


Thanks!


Alan

I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

Linus (torvalds at ...11786...)
Date: 1991-08-25 23:12:08 PST

-----Original Message-----
From: Alan [mailto:ids at ...8382...]
Sent: Tuesday, May 25, 2004 11:44 PM
To: Rob Schrack
Cc: snort-users at lists.sourceforge.net
Subject: RE: RE: [Snort-users] How to Triggering Windows Exploits?

Rob,

        Thank you for your reply!

This is what I was looking for. I apologize for my noobness on rules. I
haven't gotten too writing rules yet but hopefully I'll learn that in the
future. A quick question. Concerning the two included generic rules you
include on the bottom of the email...because those rules aren't looking for
any particular signature within the packet any packets either establishing a
session on port 445 in the case of the first rule or any packet hitting port
445 on the second rule would trigger an alert correct? Also what is the
reasoning in including flow: to_server, established in rules? Thanks in
advance!



Alan

I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

Linus (torvalds at ...11786...)
Date: 1991-08-25 23:12:08 PST

-----Original Message-----
From: Rob Schrack [mailto:rob_schrack at ...10758...]
Sent: Tuesday, May 25, 2004 4:07 PM
To: ids at ...8382...
Subject: Re: RE: [Snort-users] How to Triggering Windows Exploits?

It really depends on how a particular rule is written.  Take the following
rules:

alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger
Service buffer overflow attempt"; content:"|04 00|"; offset:0; depth:2;
byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative;
byte_jump: 4,8,little,align,relative; byte_test:4,>,1024,0,little,relative;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx;
reference:bugtraq,8826; reference:cve,CAN-2003-0717;
classtype:attempted-admin; sid:225
7; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC
Messenger Service buffer overflow attempt"; flow:to_server,established;
content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|";
distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase;
distance:5; within:12; content:"|04 00|"; distance:0; within:2;
byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative;
byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative;
reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx;
reference:bugtraq,8826; reference:cve,CAN-2003-0717;
classtype:attempted-admin; sid:2258; rev:3;)

The first is a UDP rule.  Basically if you allow port 135 into your network
(or past the snort sensor), you should see an alert if a matching packet
flies by.
The 2nd is a TCP rule.  Notice the "flow" options just past the name of the
rule: "flow: to_server,established".  The 'established' option will only
trigger an alert on a packet that is part of an established session on port
445.  If you don't have a box listening on 445/tcp, there should never be an
established session, and you should never see an alert triggered.

If you get more generic,

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC
Messenger Service buffer overflow attempt"; flow:to_server,established;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC
Messenger Service buffer overflow attempt";)

The first would trigger on any established session on port 445/tcp,
regardless of what that service actually is.  The second would trigger on
ANY attempt on 445/tcp, like a SYN scan.

Hope that helps.
Rob


----- Original Message -----
From: <ids at ...8382...>
To: "Joshua Berry" <jberry at ...11848...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Tuesday, May 25, 2004 6:30 PM
Subject: Re: RE: [Snort-users] How to Triggering Windows Exploits?


> Hi Joshua,
>
> Your answer is a little bit different from what I was asking. Let me
elaborate a little. Are the rules written in a way that requires a targeted
computer have to respond to an attack or something of that nature for Snort
to issue an alert. I have yet to see my Snort sensor alert me to any MS
exploits (various network worms such as Sasser, blaster...etc) . I assumed
the reason for this was because there are no Windows PC connected to the
network Snort is sensing on. Another test I ran to see if Snort would issue
an alert was the Cisco exploits. I do not have any Cisco devices on my
network but I attempted to trigger an alert my hitting an IP on the
protected network with the PERL script. No alerts. Do I have to have the
appropriate Cisco deivce to trigger the alert? Just a side note I'm using
the most current rules for Snort (inluding the rules to detect the Cisco
exploits) for testing and information gathering.
>
>
> Any help on this I would greatly appreciate!
>
>
> Alan
>
> ----- Original Message -----
> From: Joshua Berry <jberry at ...11848...>
> Date: Tuesday, May 25, 2004 1:39 pm
> Subject: RE: [Snort-users] How to Triggering Windows Exploits?
>
> > Snort will not verify OS or Services running on the target machine
> > unless you patch it with something like the Attack Verification patch
> > that uses Nessus to verify actual vulnerabilities of the target.
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [snort-users-admin at lists.sourceforge.net] On Behalf Of
> > ids at ...8382...
> > Sent: Tuesday, May 25, 2004 2:46 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] How to Triggering Windows Exploits?
> >
> > Hi everyone-
> >
> >
> > I have a simple question. Is it true that some Snort alerts are only
> > triggered if the target computer is vulnerable to that attack? To
> > be a
> > little more specific... if an attacks targets an exploit in
> > Windows 2000
> > and I only have Linux running in my network will Snort alert me to
> > thoseWindows attacks? The reason I ask is because I have a Snort
> > sensordetecting detecting attacks against a Linux box running
> > Apache. I
> > noticed that the only attacks I detect are SQL, HTTP and Linux
> > related.About a week ago for a brief time an associate put a
> > Windows 2k box off
> > of the hub and I started to get hit with these Alerts I had never seen
> > before (MS Exploits). I want to capture more data on the amount of
> > exploits attacks on Windows and was wondering for me to gather
> > that data
> > would I have to have a Windows computer on the network Snort is
> > sensing?Thanks in advance!
> >
> >
> > Alan
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: Oracle 10g
> > Get certified on the hottest thing ever to hit the market...
> > Oracle 10g.
> >
> > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list