[Snort-users] snort-2.8.0 losing port numbers on some alerts?

Jason Haar Jason.Haar at ...294...
Thu Nov 22 20:01:52 EST 2007


Hi there

I have just installed snort-2.8.0 under CentOS5 at home, with nearly
everything enabled, and it's triggering on the rule:

alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe
response overflow attempt"; content:"|05|"; depth:1;
byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative;
content:!"|3B|"; within:512; reference:bugtraq,9407;
reference:cve,2003-0903; reference:nessus,11990;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx;
classtype:attempted-user; sid:2329; rev:7;)

The problem is two-fold. For starters, sometimes the syslog and mysql
events generated *do not contain port numbers!* e.g. syslog reports

 Nov 22 21:59:36 srv snort[28832]: [1:2329:7] MS-SQL probe response
overflow attempt [Classification: Attempted User Privilege Gain]
[Priority: 1]: <eth0> {UDP} 1x.y.z.3 -> 1x.y.z.6

where's the ":YYYY"?

sometimes in the same 1 sec period the same rule triggers again - with
the port numbers

Nov 22 21:59:36 srv snort[28832]: [1:2329:7] MS-SQL probe response
overflow attempt [Classification: Attempted User Privilege Gain]
[Priority: 1]: <eth0> {UDP} 1x.y.z.3:2049 -> 1x.y.z.6:1023

And secondly, the two boxes mentioned are Linux boxes running NFS
between them - certainly not MS-SQL.

However, I think my first point is the one that implies a bug in snort.
An "alert udp" rule should NEVER be able to generate an event that
doesn't contain port numbers - I don't think it's possible to generate
UDP packets without port numbers ;-)

This looks like a bug to me rather than a rule FP?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list