[Snort-users] Fwd: Snort 2.9.4.5 rules using pp

Ashraf Ali ashrafali.ibs at ...11827...
Wed Apr 24 02:07:02 EDT 2013


Can some body  pls check ...

Below are some the rules from snort.rules file , which PP has created.

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS
bdir.htr access"; flow:to_server,established; content:"/bdir.htr"; nocase;
http_uri; metadata:service http; reference:bugtraq,2280;
reference:nessus,10577; classtype:web-application-activity; sid:1000;
rev:22;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established;
content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase;
metadata:policy security-ips drop, service http; reference:bugtraq,2126;
reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:16;)
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT Putty Server
key exchange buffer overflow attempt";
flow:to_client,established,no_stream; content:"SSH-"; depth:4;
isdataat:1000,relative;
pcre:"/SSH-0*([2-9]\d*|1\d+)\.[^-]*-[^\n]*\n\x00\x00.{3}\x14.{1000}/s";
reference:bugtraq,6407; reference:cve,2002-1359; reference:url,
www.rapid7.com/advisories/R7-0009.html; classtype:attempted-user;
sid:10010; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Novell
NetMail APPEND command buffer overflow attempt";
flow:established,to_server; content:"AP"; nocase; isdataat:256,relative;
pcre:"/\sAP[A-Za-z]{4}\s[^\n]{256}/smi"; metadata:policy security-ips drop,
service imap; reference:bugtraq,21723; reference:cve,2006-6425;
classtype:misc-attack; sid:10011; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS
CCRP FolderTreeView ActiveX clsid access"; flow:to_client,established;
file_data; content:"19B7F2D6-1610-11D3-BF30-1AF820524153";
fast_pattern:only;
pcre:"/<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*19B7F2D6-1610-11D3-BF30-1AF820524153\s*}?\s*\1/si";
metadata:policy security-ips drop, service http; reference:bugtraq,22092;
reference:url,ccrp.mvps.org/index.html?controls/ccrpftv6.htm;
classtype:attempted-user; sid:10013; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS
Oracle ORADC ActiveX clsid access"; flow:to_client,established; file_data;
content:"EC4CF635-D196-11CE-9027-02608C4BF3B5"; fast_pattern:only;
pcre:"/<OBJECT\s*[^>]*\s*id\s*=((\x22|\x27)([^\2]*)\2)\s*classid\s*=\s*(\x22|\x27|)clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\4.*\3\.(UpdateRecord)\(|<OBJECT\s*[^>]*\s*classid\s*=\s*(\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*EC4CF635-D196-11CE-9027-02608C4BF3B5\s*}?\s*\6\s*id\s*=\s*((\x22|\x27)([^\8]*)\8).*\9\.(UpdateRecord)\(/siO";
metadata:policy security-ips drop, service http; reference:bugtraq,22026;
classtype:attempted-user; sid:10015; rev:13;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS
Oracle ORADC ActiveX function call access"; flow:to_client,established;
file_data; content:"ORADC.ORADCCtrl"; fast_pattern:only;
pcre:"/(\w+)\s*=\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\x3b.*(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*\1\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\3\s*\.\s*(UpdateRecord)\s*\()|(\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22ORADC.ORADCCtrl\x22|\x27ORADC.ORADCCtrl\x27)\s*\)(\s*\.\s*(UpdateRecord)\s*\(|.*\7\s*\.\s*(UpdateRecord)\s*\()/smi";
metadata:policy security-ips drop, service http; reference:bugtraq,22026;
classtype:attempted-user; sid:10017; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC
NCACN-IP-TCP brightstor-arc ReserveGroup attempt";
flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837;
dce_opnum:38; metadata:policy balanced-ips drop, policy connectivity-ips
drop, policy security-ips drop, service dcerpc; reference:cve,2006-6076;
reference:cve,2006-6917; reference:url,
www.lssec.com/advisories/LS-20061001.pdf;
classtype:protocol-command-decode; sid:10018; rev:9;)
\d)?\x27)\s*\)(\s*\.\s*(SetFormatLikeSample|CreateFile)\s*|.*(?P=n)\s*\.\s*(SetFormatLikeSample|CreateFile)\s*)\s*\(/smiO";
metadata:policy security-ips drop, service http; reference:bugtraq,22196;
reference:bugtraq,33469; reference:cve,2007-0018; reference:url,
www.kb.cert.org/vuls/id/292713; classtype:attempted-user; sid:10086;
rev:10;)


and in the snort.conf file i have HOME_NET AND EXTERNAL_NET variables
configured as below.

ipvar HOME_NET any

ipvar EXTERNAL_NET any

i have manually downloaded the latest snapshot of rules from snort.org and
copied some of the rules files in to a single file called new.rules, then
configured the snort.conf to use this rule file only, restarted the snort
services ,Its working fine. i can see the alerts , log file is also filling
up.

But could not figure out what the problem with snort.rules file which PP
has created.

Regards,
Ashraf





On Tue, Apr 23, 2013 at 4:44 PM, James Lay <jlay at ...13475...> wrote:

> Let's see one of the rules, and what sdo your HOME_NET and EXTERNAL_NET
> look like?
>
> James
>
> On Apr 22, 2013, at 10:40 PM, Ashraf Ali <ashrafali.ibs at ...11827...> wrote:
>
> yes, if i use the command (snort -c /usr/local/snort/snort.conf -i eth0
> -A)  and can see lots of traffic on the console but nothing is getting dump
> in the log file, it is still 0 Bytes.
>
> i did a R&D , by creating a file called local.rules in the same rules
> folder and added a signature (alert tcp any any -> any any(msg:"Tcp traffic
> found" sid:1000001);
> in the snort.conf file i put a # before include statement of snort.rules
> line and added local.rules
> later restarted both snort and barnyard2 Deamons , Guess what i can see
> log file filling up, and in GUI i can see the alerts.
>
> There seems to be some problem with the snort.rules file which PP has
> created.
>
> Regards,
> Ashraf
> Security System Engineer.
>
>
>
>
>
> On Mon, Apr 22, 2013 at 9:37 PM, Y M <snort at ...15979...> wrote:
>
>>  If you run snort with -A console or -A cmg, do you see any alerts on
>> the console?
>>
>> Also run tcpdump against the interface you are listening from, simply
>>
>> tcpdump -i ethX -v
>>
>> Do you see any traffic? Replace ethX with your interface.
>>  ------------------------------
>> From: Ashraf Ali <ashrafali.ibs at ...11827...>
>> Sent: 4/22/2013 3:37 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Snort 2.9.4.5 rules using pp
>>
>>     Hi All,
>>
>>  recently i have deployed snort in ubuntu 12.04 using Autosnort , during
>> the installation PP asked for Oinkcode ,as i am a registered user so i have
>> provided the same.
>>  After completion of the installation, i have seen that snort and
>> barnyard2 services are running in Deamon mode, and in /var/log/snort folder
>> a file with name snort.u2.1366**** is also created but empty(0 bytes).
>>
>> -rw-r--r--  1 snort snort    2056 Apr 22 17:54 barnyard2.waldo
>> *-rw-------  1 snort snort         0 Apr 22 17:54 snort.u2.136662******
>>
>>  there is a single rules file called snort.rules in
>> /usr/local/snort/rules folder which has all the downloaded snort rules, and
>> same is included in the snort.conf file.
>>  Even i have run the snort in test mode using -T , it does not shows up
>> any problem, its working fine but not generating any logs.
>>
>>  I have formated the server , and re-installed every thing manually this
>> time. still the same problem. file is getting created but no logs.
>>
>>  pls Advice.
>>
>>  Ashraf
>>  Security System Egnineer
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring
> service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt!
> http://p.sf.net/sfu/newrelic_d2d_apr_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130424/ba3c06d6/attachment.html>


More information about the Snort-users mailing list