[Snort-users] Trying to use snort with TALOS-2016-0219

Joel Esler (jesler) jesler at ...589...
Mon Nov 28 11:17:41 EST 2016

Your traffic is “asymmetric”.  This is why turning off stream makes it “work”.

Snort needs both sides of the traffic flow in order to process the traffic correctly.

Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>

On Nov 25, 2016, at 10:41 PM, Yuri Niyazov <yuri at ...17684...<mailto:yuri at ...17684...>> wrote:

Hi everyone,

  Snort newbie here. I am trying to detect the latest memcache vulnerabilities, http://www.talosintelligence.com/reports/TALOS-2016-0219/

Output of snort -V, as requested in the instructions for posting reports to this list:
   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 383)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

So, I have a packet capture that is the proof-of-concept exploit (code copy-pasted from the vulnerability announcement). That packet capture is attached. It is detected when I run "snort -c etc/works.conf -r /var/log/snort/memcachedump.1480128874", I get the text below in /var/log/snort/alert:

[**] [3:40474:2] SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/26-02:54:44.674785<> -><>
TCP TTL:63 TOS:0x0 ID:47627 IpLen:20 DgmLen:1100 DF
***AP*** Seq: 0xF7EF58B0  Ack: 0x1E0819C9  Win: 0x1C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3334822 5964160
[Xref => http://www.talosintelligence.com/reports/TALOS-2016-0219]

However, when I run "snort -c etc/broken.conf -r /var/log/snort/memcachedump.1480128874" the alert doesn't happen

The difference between works.conf and broken.conf is that broken.conf includes the stream5_global, stream5_tcp and stream5_udp preprocessors as they are configured in the latest downloadable ruleset (these aren't the files I will end up using, these are just the smallest difference I was able to isolate between "working" and "not working").

Now, if I understand things correctly, the streaming preprocessor provides important functionality that shouldn't just be turned off blindly, so, the question is: what in that preprocessor configuration could be masking the memcached exploit?

Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161128/47c15c70/attachment.html>

More information about the Snort-users mailing list