[Snort-devel] Header mixup Bug in Snort 2.0?

From: Erik Norman <erik.norman(at)datagram.se>
Date: Thu Jun 12 2003 - 08:46:27 EDT

Hi all,

I've run across some faulty reporting, where a certain packet correctly generates an alarm, but where the header information (IP, ports etc) are from another packet! It's a Bad Thing. Since i'm also have a complete tcpdump log of everything, i feel rather sure what i'm talking about.

I'm administrating the IDS for a customer, so I have the need to strictly anonymize the data, but will try to help however I can.

All details can be found below.

Now what? (Personal-brain-dump: old Libpcap version, strange home-net definition...)

BTW, Snort rocks :-)

/Erik Norman

Setup:

---

Snort 2.0 on NetBSD 1.6.1
Tcpdump 3.7.1
Libpcap 0.4

Rule in question:

---

alert ip $HOME_NET any -> $EXTERNAL_NET !80 (msg:"Backdoor indication, id check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:backdoor-indication; sid:1882; rev:4;)

Note that it's a rule from snort-current, but with altered classification.

Notation:

---

IP A1 and A2 are internal Addresses ($HOME_NET) and IP B and C are two, different, external addresses. Both B and C appear in normal communication from the company in question.

Reported alarm, from the file /var/log/snort/B.B.B.11/TCP\:3152-25:

---

[**] Backdoor indication, id check returned userid [**] 06/11-10:23:42.329705 A1.A1.A1.204:3152 -> B.B.B.11:25 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:658 ***AP*** Seq: 0x3959F78C Ack: 0xED87141A Win: 0xFAF0 TcpLen: 20 47 45 54 20 2F 63 6F 6D 6D 75 6E 69 74 79 2F 73 GET /community/s 70 65 6C 2F 69 6D 61 67 65 73 2F 72 61 6E 6B 5F pel/images/rank_ 31 2E 67 69 66 20 48 54 54 50 2F 31 2E 31 0D 0A 1.gif HTTP/1.1.. 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 Accept: */*..Ref 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 74 76 34 erer: http://tv4 2E 73 65 2F 63 6F 6D 6D 75 6E 69 74 79 2F 73 70 .se/community/sp 65 6C 2F 75 73 65 72 69 6E 66 6F 2E 61 73 70 78 el/userinfo.aspx 3F 75 69 64 3D 7B 32 46 33 36 32 41 35 36 2D 35 ?uid={2F362A56-5 ---snip---

And this is from tcpdump:

---

10:23:42.304287 A2.A2.A2.1919 > C.C.C.132.www: . 1:1461(1460) ack 1 win 8760 (DF)

0x0000   4500 05dc ea1c 4000 7f06 0372 7e01 05f9        E.....@....r~...
0x0010   930e f184 077f 0050 006f a0e3 d2cd 744f        .......P.o....tO
0x0020   5010 2238 c34f 0000 4745 5420 2f63 6f6d        P."8.O..GET./com
0x0030   6d75 6e69 7479 2f73 7065 6c2f 696d 6167        munity/spel/imag
0x0040   6573 2f72 616e 6b5f 312e 6769 6620 4854        es/rank_1.gif.HT
0x0050   5450 2f31 2e31 0d0a 4163 6365 7074 3a20        TP/1.1..Accept:.
0x0060   2a2f 2a0d 0a52 6566 6572 6572 3a20 6874        */*..Referer:.ht
0x0070   7470 3a2f 2f74 7634 2e73 652f 636f 6d6d        tp://tv4.se/comm
0x0080   756e 6974 792f 7370 656c 2f75 7365 7269        unity/spel/useri
0x0090   6e66 6f2e 6173 7078 3f75 6964 3d7b 3246        nfo.aspx?uid={2F

--snip --

Snort.conf

---

var HOME_NET X.X.0.0/21 X.X.8.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH .
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: [ --usual hosts snipped----] preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
output alert_syslog: LOG_LOCAL4
include classification.config
include reference.config

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
Can we help you?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/local.rules



-------------------------------------------------------

This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Jun 12 13:59:41 2003