Re: [Snort-sigs] disable /var/log/snort logging

From: Bill McCarty <bmccarty(at)apu.edu>
Date: Fri May 09 2003 - 00:58:41 EDT

Hey all,

I've been seeing the Snort exploit that was recently published on Packetstorm being used against port TCP/139 of one of my hosts, which is not a Snort sensor <g>. The default Snort ruleset flags the NOPs in the exploit. But, it's nice to know whether one's seeing a NetBIOS/SMB attack or a Snort attack.

The following rule successfully detects the Packetstorm attack:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Snort p7191.sh attack shellcode";
content:"|31c0 31db 31c9 51b1 0651 b101 51b1 0251|"; offset:0; )

It's a lousy rule, because it detects the exploit shellcode rather than the underlying vulnerability. And, the offset value could likely be increased to improve efficiency, since the shellcode is preceded by a fairly large NOP sled. But, I'm a busy guy <g>; so it's the best I can do just now.

FYI, I've also seen some very large (>64k) UDP packets in my Snort capture files. The tcpdump program chokes when it hits one. But, I've learned that I can use tcpslice to exclude a few milliseconds of data from a packet capture file and see what went on near the time of the large packets.

I don't know whether this symptom is related to either of the recently published Snort vulnerabilities, some other Snort vulnerability, or yet another cause. Since I'm no longer seeing this traffic, it's hard to know what was going on.

Cheers,

---

Bill McCarty

---

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri May 9 01:26:20 2003