[Snort-users] False Negatives in Snort

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Fri Jul 8 11:19:45 EDT 2011


Yes I Will, but the problem of packet drops is already resolved.
My original question was the lack of Apache Chunked encoding alerts (despite
packets being checked as evident from Shellcode detected alerts). Also Snort
correctly picks up "chunked encoding tranfer" alert from another exploit,
but totally fails to see this one
Any pointers?

Regards,
Dheeraj
On Fri, Jul 8, 2011 at 4:41 PM, Joel Esler <jesler at ...1935...> wrote:

> Try version 2.9.1.
>
> Sent from my iPhone
>
> On Jul 8, 2011, at 0:55, Dheeraj Gupta <dheeraj.gupta4 at ...11827...> wrote:
>
> I read about it in one of the forums. The guy had the same problem and it
> resolved by specifying -P option. In my case too, if I do not set any
> snaplen and let snort use default value I do not get any alerts for both the
> attacks. But by setting snaplen, I get alerts for MS04-007 and "Shellcode
> Detected" alerts for Apache. Also in latter case, the number of IP4Disc
> packets is very less
>
> On Thu, Jul 7, 2011 at 10:27 PM, Joel Esler < <jesler at ...1935...>
> jesler at ...1935...> wrote:
>
>> Why do you need to specify a snaplen?
>>
>>
>> On Jul 6, 2011, at 4:58 AM, Dheeraj Gupta wrote:
>>
>> Hi,
>> Turns out Snort was discarding packets(IP4Disc) so no alerts were logged .
>> I set the snaplen to 3000 using -P option and now MS04-007 signature fires
>> well....however the chunked encoding one still does not fire and the only
>> alerts I get is about shellcode
>>
>> On Mon, Jun 27, 2011 at 9:34 PM, Bhagya Bantwal <<bbantwal at ...1935...>
>> bbantwal at ...1935...> wrote:
>>
>>>
>>> Can you provide with a sample pcap for this issue?
>>>
>>> -B
>>> On Fri, Jun 24, 2011 at 7:29 AM, Dheeraj Gupta <<dheeraj.gupta4 at ...11827...>
>>> dheeraj.gupta4 at ...11827...> wrote:
>>>
>>>> For my project, I need to generate some dummy attack traffic, so I
>>>> decided to use an old Windows XP system (unpatched) and ran a few
>>>> commercial/open source exploits on it. While most of the attempts were
>>>> flagged by Snort, two in particular were entirely missed. Ironically, they
>>>> were also successful and returned a shell to the system
>>>>
>>>> *Apache Chunked Encoding *- A very old flaw in Apache 1.3.19 (I am
>>>> running that old version just for the sake of vulnerabilties). OSVDb entry -
>>>> <http://osvdb.org/show/osvdb/838>http://osvdb.org/show/osvdb/838
>>>> My snort.conf has following entries for gzip related part
>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>> compress_depth 65535 decompress_depth 65535
>>>> preprocessor http_inspect_server: server default \
>>>>     chunk_length 500000 \
>>>>     server_flow_depth 0 \
>>>>     client_flow_depth 0 \
>>>>     post_depth 65495 \
>>>>     oversize_dir_length 500 \
>>>>     max_header_length 750 \
>>>>     max_headers 100 \
>>>>     ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702
>>>> 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280
>>>> 8888 9090 9091 9443 9999 11371 } \
>>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>>     enable_cookie \
>>>>     extended_response_inspection \
>>>>     *inspect_gzip \*
>>>>     normalize_utf \
>>>>     unlimited_decompress \
>>>>     apache_whitespace no \
>>>>     ascii no \
>>>>     bare_byte no \
>>>>     base36 no \
>>>>     directory no \
>>>>     double_decode no \
>>>>     iis_backslash no \
>>>>     iis_delimiter no \
>>>>     iis_unicode no \
>>>>     multi_slash no \
>>>>     utf_8 no \
>>>>     u_encode yes \
>>>>     webroot no
>>>>
>>>> MS04-007 - OSVDB entry - <http://osvdb.org/show/osvdb/3902>
>>>> http://osvdb.org/show/osvdb/3902
>>>>
>>>> All the snort signatures that are mentioned in the OSVDB entries are
>>>> enabled and I have restarted snort after enabling the signatures. However,
>>>> the successful attempts are not being flagged.
>>>> For apache chunked encosing I used metasploit and a commercial product
>>>> while for MS04-007 I used the commercial product to attack through port 445
>>>>
>>>> Any ideas
>>>>
>>>> Dheeraj
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> All the data continuously generated in your IT infrastructure contains a
>>>> definitive record of customers, application performance, security
>>>> threats, fraudulent activity and more. Splunk takes this data and makes
>>>> sense of it. Business sense. IT sense. Common sense..
>>>>  <http://p.sf.net/sfu/splunk-d2d-c1>http://p.sf.net/sfu/splunk-d2d-c1
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>>  <Snort-users at lists.sourceforge.net>Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>>  <https://lists.sourceforge.net/lists/listinfo/snort-users>
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>>  <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please see <http://www.snort.org/docs>http://www.snort.org/docs for
>>>> documentation
>>>>
>>>
>>>
>>
>>
>> --
>> To iterate is human.To recurse, divine!
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>>
>> <http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________>
>> http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________
>>
>> Snort-users mailing list
>> <Snort-users at lists.sourceforge.net>Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> <https://lists.sourceforge.net/lists/listinfo/snort-users>
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please see <http://www.snort.org/docs>http://www.snort.org/docs for
>> documentation
>>
>>
>>
>
>
> --
> To iterate is human.To recurse, divine!
>
>


-- 
To iterate is human.To recurse, divine!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110708/04ba01ad/attachment.html>


More information about the Snort-users mailing list