Snort mailing list archives
Re: packet content and signature unmatch
From: pauls () utdallas edu
Date: Mon, 17 Jul 2006 08:54:17 -0500
--On July 17, 2006 9:31:50 AM -0400 hchlai () netscape net wrote:
When investigating the whys and wherefores of a rule's triggering, it's a good idea to first read the relevant exploit information - <http://www.securityfocus.com/bid/5093/discuss>Hi Snorters, I have 2 questions regarding sid:1811 /etc/snort/rules/attack-responses.rules:alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:9; First of all, since ssh sessions are encrypted, I should never see a packet content of "uname" in non-encrypted format. Am I missing something fundamental in here or it's just a Monday morning? Secondly, this signature is recorded in 2 packets by BASE, but neither packets nor their combine contents contain "uname" in it, so what exactly triggered this signature? Many thanks!
"It is possible for attackers to exploit the vulnerabilities by constructing a malicious response. As this occurs before the authentication process completes, it may be exploited by remote attackers without valid credentials. Successful exploitation may result in the execution of shellcode or a denial of service."
As I'm sure you are aware, the challenge-response portion occurs before encryption has taken place, so you would indeed see the characters in the packet.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
_bin
Description:
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- packet content and signature unmatch hchlai (Jul 17)
- Re: packet content and signature unmatch Eric Hines (Jul 17)
- Re: packet content and signature unmatch pauls (Jul 17)