Re: Snort detection engine vulnerability

[Dragos Ruiu <dr () kyx net>]

Hmmm... ok... You could go and change this to come up with multiple
alerts per packet (the patch would be fairly straightforward, but I'm certainly
not sure it's worth the inneficiency it introduces), but to what end again?
With this kind of technique you may be able to mask the severity of your
attack with certain very limited classes of attacks... (I practice, imho, the
number of attacks that are succeptible to this kind of obfuscation is small
enough that I think there are bigger fish to fry first.... most web/cgi attacks
would be extremely diffiicult to code with a double attack in a single 
request....) and your example is supposing this test-cgi rule is loaded before
your other exploit rule. In any case this is relatively academic because....

The point however is that your address/packet is still busted... you may
have been able to sneak that other attack in, but the IDS still triggered and 
your double attack packet is recorded - and then hopefully a human 
analyst examining the incident will note the monkey business.

cheers,
--dr

P.s. Cut Marty a break today, he is usually excellent (better than
almost anyone I know) at returning e-mails, but I expect he is at
the hospital right now helping his wife deliver a baby. Which I think
ranks much, much, higher in priorities than this "vulnerability".

On Mon, 30 Jul 2001, Moritz Jodeit wrote:
> Hi,
>
> I think I found a design flaw in Snort's detection engine. 
> The detection engine checks each package and the first rule that matches,
> triggers the action specified in the rule. The problem is, that once an action
> was triggered, no more checks are done on the package. It is possible for
> someone to put a fake exploit at the beginning of a packet and put the real
> exploit after the fake one. This way, the fake exploit triggers the rule and
> the real exploit doesn't get detected.
>
> http://snort.protected.host.com/test-cgi/../[insert your favourite iis exploit]
>
> This sample triggers the "WEB-CGI test-cgi access" rule, while the real exploit 
> doesn't get logged.
>
> I sent two emails to roesch () clark net, but didn't get any response, so I send 
> it to the list...
>
> --
> Moritz Jodeit 
> http://www.jodeit.org/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users