[Snort-users] False Negatives in Snort

Bhagya Bantwal bbantwal at ...1935...
Mon Jun 27 12:04:20 EDT 2011


Can you provide with a sample pcap for this issue?

-B
On Fri, Jun 24, 2011 at 7:29 AM, Dheeraj Gupta <dheeraj.gupta4 at ...11827...>wrote:

> For my project, I need to generate some dummy attack traffic, so I decided
> to use an old Windows XP system (unpatched) and ran a few commercial/open
> source exploits on it. While most of the attempts were flagged by Snort, two
> in particular were entirely missed. Ironically, they were also successful
> and returned a shell to the system
>
> *Apache Chunked Encoding *- A very old flaw in Apache 1.3.19 (I am running
> that old version just for the sake of vulnerabilties). OSVDb entry -
> http://osvdb.org/show/osvdb/838
> My snort.conf has following entries for gzip related part
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
> preprocessor http_inspect_server: server default \
>     chunk_length 500000 \
>     server_flow_depth 0 \
>     client_flow_depth 0 \
>     post_depth 65495 \
>     oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250
> 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8243 8280 8888 9090
> 9091 9443 9999 11371 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     *inspect_gzip \*
>     normalize_utf \
>     unlimited_decompress \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     base36 no \
>     directory no \
>     double_decode no \
>     iis_backslash no \
>     iis_delimiter no \
>     iis_unicode no \
>     multi_slash no \
>     utf_8 no \
>     u_encode yes \
>     webroot no
>
> MS04-007 - OSVDB entry - http://osvdb.org/show/osvdb/3902
>
> All the snort signatures that are mentioned in the OSVDB entries are
> enabled and I have restarted snort after enabling the signatures. However,
> the successful attempts are not being flagged.
> For apache chunked encosing I used metasploit and a commercial product
> while for MS04-007 I used the commercial product to attack through port 445
>
> Any ideas
>
> Dheeraj
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense..
> http://p.sf.net/sfu/splunk-d2d-c1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110627/6bdc1d62/attachment.html>


More information about the Snort-users mailing list