[Snort-users] False Negatives in Snort

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Fri Jul 8 00:55:04 EDT 2011


I read about it in one of the forums. The guy had the same problem and it
resolved by specifying -P option. In my case too, if I do not set any
snaplen and let snort use default value I do not get any alerts for both the
attacks. But by setting snaplen, I get alerts for MS04-007 and "Shellcode
Detected" alerts for Apache. Also in latter case, the number of IP4Disc
packets is very less

On Thu, Jul 7, 2011 at 10:27 PM, Joel Esler <jesler at ...1935...> wrote:

> Why do you need to specify a snaplen?
>
>
> On Jul 6, 2011, at 4:58 AM, Dheeraj Gupta wrote:
>
> Hi,
> Turns out Snort was discarding packets(IP4Disc) so no alerts were logged .
> I set the snaplen to 3000 using -P option and now MS04-007 signature fires
> well....however the chunked encoding one still does not fire and the only
> alerts I get is about shellcode
>
> On Mon, Jun 27, 2011 at 9:34 PM, Bhagya Bantwal <bbantwal at ...1935...>wrote:
>
>>
>> Can you provide with a sample pcap for this issue?
>>
>> -B
>> On Fri, Jun 24, 2011 at 7:29 AM, Dheeraj Gupta <dheeraj.gupta4 at ...11827...>wrote:
>>
>>> For my project, I need to generate some dummy attack traffic, so I
>>> decided to use an old Windows XP system (unpatched) and ran a few
>>> commercial/open source exploits on it. While most of the attempts were
>>> flagged by Snort, two in particular were entirely missed. Ironically, they
>>> were also successful and returned a shell to the system
>>>
>>> *Apache Chunked Encoding *- A very old flaw in Apache 1.3.19 (I am
>>> running that old version just for the sake of vulnerabilties). OSVDb entry -
>>> http://osvdb.org/show/osvdb/838
>>> My snort.conf has following entries for gzip related part
>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> compress_depth 65535 decompress_depth 65535
>>> preprocessor http_inspect_server: server default \
>>>     chunk_length 500000 \
>>>     server_flow_depth 0 \
>>>     client_flow_depth 0 \
>>>     post_depth 65495 \
>>>     oversize_dir_length 500 \
>>>     max_header_length 750 \
>>>     max_headers 100 \
>>>     ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702
>>> 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888
>>> 9090 9091 9443 9999 11371 } \
>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>     enable_cookie \
>>>     extended_response_inspection \
>>>     *inspect_gzip \*
>>>     normalize_utf \
>>>     unlimited_decompress \
>>>     apache_whitespace no \
>>>     ascii no \
>>>     bare_byte no \
>>>     base36 no \
>>>     directory no \
>>>     double_decode no \
>>>     iis_backslash no \
>>>     iis_delimiter no \
>>>     iis_unicode no \
>>>     multi_slash no \
>>>     utf_8 no \
>>>     u_encode yes \
>>>     webroot no
>>>
>>> MS04-007 - OSVDB entry - http://osvdb.org/show/osvdb/3902
>>>
>>> All the snort signatures that are mentioned in the OSVDB entries are
>>> enabled and I have restarted snort after enabling the signatures. However,
>>> the successful attempts are not being flagged.
>>> For apache chunked encosing I used metasploit and a commercial product
>>> while for MS04-007 I used the commercial product to attack through port 445
>>>
>>> Any ideas
>>>
>>> Dheeraj
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> All the data continuously generated in your IT infrastructure contains a
>>> definitive record of customers, application performance, security
>>> threats, fraudulent activity and more. Splunk takes this data and makes
>>> sense of it. Business sense. IT sense. Common sense..
>>> http://p.sf.net/sfu/splunk-d2d-c1
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please see http://www.snort.org/docs for documentation
>>>
>>
>>
>
>
> --
> To iterate is human.To recurse, divine!
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
>
> http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________
>
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
>
>


-- 
To iterate is human.To recurse, divine!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110708/102e994c/attachment.html>


More information about the Snort-users mailing list