[Snort-users] Snort 3.0 is not detecting shell code attacks

João Pedro oladj at live.com.pt
Mon Jun 17 08:23:57 EDT 2019


OMG! It worked!!!! I added '--lua "search_engine.detect_raw_tcp = true"' to my command and worked!

Thank you so much :)

Às 12:56 de 17/06/19, Russ Combs (rucombs) escreveu:
You need to add –k none --lua "search_engine.detect_raw_tcp = true" to your command line.  Doing so gets some hits on 1394 and 648.

Raw tcp detection is required by those rules and the checksum issue is indicated by the shutdown stats without –k none:

codec
                    total: 194402       (100.000%)
                 discards: 85883       ( 44.178%)
ipv4
             bad_checksum: 85831

An update will be out soon that removes the requirement for the raw tcp setting.

From: João Pedro <oladj at live.com.pt<mailto:oladj at live.com.pt>>
Date: Monday, June 17, 2019 at 7:29 AM
To: Dorian ROSSE <dorianbrice at hotmail.fr<mailto:dorianbrice at hotmail.fr>>, "snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>>, Sourcefire Helpdesk <rucombs at cisco.com<mailto:rucombs at cisco.com>>
Subject: Re: [Snort-users] Snort 3.0 is not detecting shell code attacks


Thanks for your help. I think the community rules are enough for what I want to test. For example, the rule below seems enough to trigger an alert, but does not make sense to me why is not triggered...


  *   alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17;

There are other rules, non-related to shell code, that are triggered, so Snort seems working. I already tested the rule I mentioned separately, but didn't work either.

Às 12:14 de 17/06/19, Dorian ROSSE escreveu:
Maybe community rules doesn’t enough against It attacks ?

Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10

________________________________
De : Snort-users <snort-users-bounces at lists.snort.org><mailto:snort-users-bounces at lists.snort.org> de la part de João Pedro via Snort-users <snort-users at lists.snort.org><mailto:snort-users at lists.snort.org>
Envoyé : Monday, June 17, 2019 12:51:01 PM
À : snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>; Russ Combs (rucombs)
Objet : Re: [Snort-users] Snort 3.0 is not detecting shell code attacks


Is also possible to check my config files and .pcap file in: https://we.tl/t-CL0SotgzlU

Às 11:30 de 17/06/19, João Pedro via Snort-users escreveu:

I send those files enclosed in this email. It's possible to check now my problem easily.

I run this command every time I want to test Snort:

  *   snort -r myfile.pcapng -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules -A alert_json > alerts.json

I'm expecting the rule "1394" and "648" to be triggered, but is not working... In .pcap file is possible to see buffer overflow attacks tested by me (e.g. check the filter "tcp.dstport==50096 or tcp.dstport==50098").

What is the problem?

Às 02:26 de 17/06/19, Russ Combs (rucombs) escreveu:

Please send pcap, rules, config so we can help you out.

On 6/16/19, 7:39 PM, "Snort-users on behalf of João Pedro via Snort-users"
<snort-users-bounces at lists.snort.org on behalf of
snort-users at lists.snort.org><mailto:snort-users-bounces at lists.snort.orgonbehalfofsnort-users@lists.snort.org> wrote:



I'm testing snort 3.0 with Community rules.
Besides triggering alerts from port scans, it is not detecting Buffer
Overflow attacks (.i.e. made with Metasploit).
Is there a problem with the current rules in Snort 3.0? Should I
activate/config something else?

Ps: I'm testing Snort from .pcap files

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave at lists.snort.org<mailto:snort-users-leave at lists.snort.org>

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette



_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave at lists.snort.org<mailto:snort-users-leave at lists.snort.org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190617/b3de162d/attachment.html>


More information about the Snort-users mailing list