[Snort-users] False Negatives in Snort

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Fri Jun 24 07:29:19 EDT 2011


For my project, I need to generate some dummy attack traffic, so I decided
to use an old Windows XP system (unpatched) and ran a few commercial/open
source exploits on it. While most of the attempts were flagged by Snort, two
in particular were entirely missed. Ironically, they were also successful
and returned a shell to the system

*Apache Chunked Encoding *- A very old flaw in Apache 1.3.19 (I am running
that old version just for the sake of vulnerabilties). OSVDb entry -
http://osvdb.org/show/osvdb/838
My snort.conf has following entries for gzip related part
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250
7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090
9091 9443 9999 11371 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    *inspect_gzip \*
    normalize_utf \
    unlimited_decompress \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    base36 no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
    webroot no

MS04-007 - OSVDB entry - http://osvdb.org/show/osvdb/3902

All the snort signatures that are mentioned in the OSVDB entries are enabled
and I have restarted snort after enabling the signatures. However, the
successful attempts are not being flagged.
For apache chunked encosing I used metasploit and a commercial product while
for MS04-007 I used the commercial product to attack through port 445

Any ideas

Dheeraj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110624/4dce7dc9/attachment.html>


More information about the Snort-users mailing list