[Snort-users] False Negatives in Snort

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Wed Jul 6 04:58:47 EDT 2011


Hi,
Turns out Snort was discarding packets(IP4Disc) so no alerts were logged . I
set the snaplen to 3000 using -P option and now MS04-007 signature fires
well....however the chunked encoding one still does not fire and the only
alerts I get is about shellcode

On Mon, Jun 27, 2011 at 9:34 PM, Bhagya Bantwal <bbantwal at ...1935...>wrote:

>
> Can you provide with a sample pcap for this issue?
>
> -B
> On Fri, Jun 24, 2011 at 7:29 AM, Dheeraj Gupta <dheeraj.gupta4 at ...11827...>wrote:
>
>> For my project, I need to generate some dummy attack traffic, so I decided
>> to use an old Windows XP system (unpatched) and ran a few commercial/open
>> source exploits on it. While most of the attempts were flagged by Snort, two
>> in particular were entirely missed. Ironically, they were also successful
>> and returned a shell to the system
>>
>> *Apache Chunked Encoding *- A very old flaw in Apache 1.3.19 (I am
>> running that old version just for the sake of vulnerabilties). OSVDb entry -
>> http://osvdb.org/show/osvdb/838
>> My snort.conf has following entries for gzip related part
>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> compress_depth 65535 decompress_depth 65535
>> preprocessor http_inspect_server: server default \
>>     chunk_length 500000 \
>>     server_flow_depth 0 \
>>     client_flow_depth 0 \
>>     post_depth 65495 \
>>     oversize_dir_length 500 \
>>     max_header_length 750 \
>>     max_headers 100 \
>>     ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702
>> 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888
>> 9090 9091 9443 9999 11371 } \
>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>     enable_cookie \
>>     extended_response_inspection \
>>     *inspect_gzip \*
>>     normalize_utf \
>>     unlimited_decompress \
>>     apache_whitespace no \
>>     ascii no \
>>     bare_byte no \
>>     base36 no \
>>     directory no \
>>     double_decode no \
>>     iis_backslash no \
>>     iis_delimiter no \
>>     iis_unicode no \
>>     multi_slash no \
>>     utf_8 no \
>>     u_encode yes \
>>     webroot no
>>
>> MS04-007 - OSVDB entry - http://osvdb.org/show/osvdb/3902
>>
>> All the snort signatures that are mentioned in the OSVDB entries are
>> enabled and I have restarted snort after enabling the signatures. However,
>> the successful attempts are not being flagged.
>> For apache chunked encosing I used metasploit and a commercial product
>> while for MS04-007 I used the commercial product to attack through port 445
>>
>> Any ideas
>>
>> Dheeraj
>>
>>
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure contains a
>> definitive record of customers, application performance, security
>> threats, fraudulent activity and more. Splunk takes this data and makes
>> sense of it. Business sense. IT sense. Common sense..
>> http://p.sf.net/sfu/splunk-d2d-c1
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see http://www.snort.org/docs for documentation
>>
>
>


-- 
To iterate is human.To recurse, divine!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110706/86d6a8bf/attachment.html>


More information about the Snort-users mailing list