Snort mailing list archives
snort-2.8.0 losing port numbers on some alerts?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 23 Nov 2007 14:01:52 +1300
Hi there I have just installed snort-2.8.0 under CentOS5 at home, with nearly everything enabled, and it's triggering on the rule: alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:7;) The problem is two-fold. For starters, sometimes the syslog and mysql events generated *do not contain port numbers!* e.g. syslog reports Nov 22 21:59:36 srv snort[28832]: [1:2329:7] MS-SQL probe response overflow attempt [Classification: Attempted User Privilege Gain] [Priority: 1]: <eth0> {UDP} 1x.y.z.3 -> 1x.y.z.6 where's the ":YYYY"? sometimes in the same 1 sec period the same rule triggers again - with the port numbers Nov 22 21:59:36 srv snort[28832]: [1:2329:7] MS-SQL probe response overflow attempt [Classification: Attempted User Privilege Gain] [Priority: 1]: <eth0> {UDP} 1x.y.z.3:2049 -> 1x.y.z.6:1023 And secondly, the two boxes mentioned are Linux boxes running NFS between them - certainly not MS-SQL. However, I think my first point is the one that implies a bug in snort. An "alert udp" rule should NEVER be able to generate an event that doesn't contain port numbers - I don't think it's possible to generate UDP packets without port numbers ;-) This looks like a bug to me rather than a rule FP? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-2.8.0 losing port numbers on some alerts? Jason Haar (Nov 22)