Snort mailing list archives

Re: Test question

From: Jose Celestino <japc () co sapo pt>
Date: Mon, 17 Dec 2001 03:20:25 +0000

Thus spake Paul Cardon, on Sun, Dec 16, 2001 at 10:13:35PM -0500:

Jose Celestino wrote:

Thus spake Phil Wood, on Sun, Dec 16, 2001 at 07:12:01PM -0700:

Here is a rule from attack-responses.rules int the 1.8.3 release:

alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; 
classtype:bad-unknown; sid:498; rev:2;)

I'd like to compliment the person who developed this rule.

Secondly, I'd like to propose a question to tickle your fancy.

If the second any were 22, and the first any was on your network, what 
would the classtype be?  Extra credit.  Fill in the blanks.



ouch. successful-admin

And how the hell did you intended to get a "uid=0(root)" out of an
suposely encrypted connection?



Wow, Jose.  You just flunked the test.  Good thing this was a practice 
run.  ;^)


Wrong, this is exploit specific. The exploit that has been running
around does a id after a successful exploit. Of course, the
overflow occurs at key exchange and so no encryption yet to prevent this
kind of data from being sniffed.

This is only as good as the "id" occurs.

And I see it more as a "ATTACK RESPONSES id check returned root".

Also a s/bad-unknown/catastrophically-fscked/ would be in order.

 systems are being compromised via the ___-__ ___________ ______ ________
 _____________



CRC-32 Compensation Attack Detector Vulnerability

http://www.cert.org/advisories/CA-2001-35.html

I won't take points off Phil for being short a space on the blank for 
"Compensation".  =:^D

-paul


--
Jose Celestino <japc () co sapo pt>
---------------------------------
Machines take me by surprise with great frequency.
- Alan Turing

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Test question Phil Wood (Dec 16)
- Re: Test question Jose Celestino (Dec 16)
  - Re: Test question Paul Cardon (Dec 16)
    - Re: Test question Jose Celestino (Dec 16)
    - Re: Test question Paul Cardon (Dec 16)
    - Re: Test question Jose Celestino (Dec 16)
    - Re: Test question Erik Fichtner (Dec 16)
  - Re: Test question Greg Herlein (Dec 16)
    - Re: Test question Jose Celestino (Dec 16)
    - Re: Test question James (Dec 16)
    - Re: Test question Ralf Hildebrandt (Dec 17)
    - Re: Test question Paul Cardon (Dec 16)
- <Possible follow-ups>
- RE: Test question Ronneil Camara (Dec 16)
- RE: Test question Ryan Hill (Dec 17)

(Thread continues...)