Snort mailing list archives
Re: Snort detection engine vulnerability
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 30 Jul 2001 20:47:18 -0700
Hmmm... ok... You could go and change this to come up with multiple alerts per packet (the patch would be fairly straightforward, but I'm certainly not sure it's worth the inneficiency it introduces), but to what end again? With this kind of technique you may be able to mask the severity of your attack with certain very limited classes of attacks... (I practice, imho, the number of attacks that are succeptible to this kind of obfuscation is small enough that I think there are bigger fish to fry first.... most web/cgi attacks would be extremely diffiicult to code with a double attack in a single request....) and your example is supposing this test-cgi rule is loaded before your other exploit rule. In any case this is relatively academic because.... The point however is that your address/packet is still busted... you may have been able to sneak that other attack in, but the IDS still triggered and your double attack packet is recorded - and then hopefully a human analyst examining the incident will note the monkey business. cheers, --dr P.s. Cut Marty a break today, he is usually excellent (better than almost anyone I know) at returning e-mails, but I expect he is at the hospital right now helping his wife deliver a baby. Which I think ranks much, much, higher in priorities than this "vulnerability". On Mon, 30 Jul 2001, Moritz Jodeit wrote:
Hi, I think I found a design flaw in Snort's detection engine. The detection engine checks each package and the first rule that matches, triggers the action specified in the rule. The problem is, that once an action was triggered, no more checks are done on the package. It is possible for someone to put a fake exploit at the beginning of a packet and put the real exploit after the fake one. This way, the fake exploit triggers the rule and the real exploit doesn't get detected. http://snort.protected.host.com/test-cgi/../[insert your favourite iis exploit] This sample triggers the "WEB-CGI test-cgi access" rule, while the real exploit doesn't get logged. I sent two emails to roesch () clark net, but didn't get any response, so I send it to the list... -- Moritz Jodeit http://www.jodeit.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort detection engine vulnerability Moritz Jodeit (Jul 30)
- Re: Snort detection engine vulnerability James Hoagland (Jul 30)
- Re: Snort detection engine vulnerability Dragos Ruiu (Jul 30)
- Re: Snort detection engine vulnerability Dragos Ruiu (Jul 30)
- RE: Snort detection engine vulnerability Jason Lewis (Jul 30)
- Re: Snort detection engine vulnerability Yoann Vandoorselaere (Jul 31)
- Re: Snort detection engine vulnerability James Hoagland (Jul 30)