Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 23 Mar 2010 16:11:13 -0500
1) sid:15013 will only set the flowbit if I download the PDF from a webserver (alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS). What if the malicious pdf is sent via email -- or another method? 16490 will never even run because the flowbit is not set. Right? 2) From sid:16490, I gather that it will only trigger if the malicious PDF communicates with an external webserver on an HTTP_PORT and the exploit is then sent from that server (alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any -- flow to server). Is that correct? What if the malicious PDF is configured to communicate on a non HTTP_PORT with the malicious webserver.
Or if encryption is used, or if the client side exploit isn't contained within the first x bytes of the payload you have configured for flow_depth, or if the client side exploit can be encoded in javascript, etc. etc. etc. This isn't a snort specific problem all network based IDS's suck at detecting client-side exploits. They just aren't the right tool for the job, despite what your vendor my share with you via their marketing slides ;-).
This brings me to a question. What are most of you doing for 443/tcp. Do you include it in your HTTP_PORTS variable or not? By default I believe it is NOT included. Wouldn't this mean that another really easy way to avoid detection of this particular vulnerability being exploited would be to have your malicious pdf connect to port 443 instead of 80 outbound? (In metasploit, setting LPORT to anything aside from 80?)
But you are filtering egress traffic right? And using a proxy to enforce protocol behavior right? Also you have sort of ASLR/buffer overflow type protection on your clients right? Via some Host IPS product or something like EMET? http://www.microsoft.com/downloads/details.aspx?FamilyID=4a2346ac-b772-4d40-a750-9046542f343d&displaylang=en Regards, Will ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-03-17 Research (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Alex Kirk (Mar 17)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Seth Art (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Joel Esler (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 evilghost () packetmail net (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 Sethsec (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 L0rd Ch0de1m0rt (Mar 24)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 Frank Knobbe (Mar 23)
- Re: Sourcefire VRT Certified Snort RulesUpdate2010-03-17 evilghost () packetmail net (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Will Metcalf (Mar 23)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-03-17 Mike Cox (Mar 17)