[Snort-users] Trying to use snort with TALOS-2016-0219

Yuri Niyazov yuri at ...17684...
Fri Nov 25 22:41:03 EST 2016


Hi everyone,

  Snort newbie here. I am trying to detect the latest memcache
vulnerabilities, http://www.talosintelligence.com/reports/TALOS-2016-0219/

Output of snort -V, as requested in the instructions for posting reports to
this list:
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.3 GRE (Build 383)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#
team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

So, I have a packet capture that is the proof-of-concept exploit (code
copy-pasted from the vulnerability announcement). That packet capture is
attached. It is detected when I run "snort -c etc/works.conf -r
/var/log/snort/memcachedump.1480128874", I get the text below in
/var/log/snort/alert:

[**] [3:40474:2] SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt
[**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/26-02:54:44.674785 162.243.66.145:57162 -> 162.243.91.201:11211
TCP TTL:63 TOS:0x0 ID:47627 IpLen:20 DgmLen:1100 DF
***AP*** Seq: 0xF7EF58B0  Ack: 0x1E0819C9  Win: 0x1C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3334822 5964160
[Xref => http://www.talosintelligence.com/reports/TALOS-2016-0219]

However, when I run "snort -c etc/broken.conf -r
/var/log/snort/memcachedump.1480128874" the alert doesn't happen

The difference between works.conf and broken.conf is that broken.conf
includes the stream5_global, stream5_tcp and stream5_udp preprocessors as
they are configured in the latest downloadable ruleset (these aren't the
files I will end up using, these are just the smallest difference I was
able to isolate between "working" and "not working").

Now, if I understand things correctly, the streaming preprocessor provides
important functionality that shouldn't just be turned off blindly, so, the
question is: what in that preprocessor configuration could be masking the
memcached exploit?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161125/133af6d2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: memcachedump.1480128874
Type: application/octet-stream
Size: 2529 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161125/133af6d2/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: works.conf
Type: application/octet-stream
Size: 1743 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161125/133af6d2/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: broken.conf
Type: application/octet-stream
Size: 3206 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161125/133af6d2/attachment-0002.obj>


More information about the Snort-users mailing list