Re: False Negatives in Snort

[Joel Esler <jesler () sourcefire com>]

Why do you need to specify a snaplen?


On Jul 6, 2011, at 4:58 AM, Dheeraj Gupta wrote:

> Hi,
> Turns out Snort was discarding packets(IP4Disc) so no alerts were logged . I set the snaplen to 3000 using -P option 
> and now MS04-007 signature fires well....however the chunked encoding one still does not fire and the only alerts I 
> get is about shellcode
>
> On Mon, Jun 27, 2011 at 9:34 PM, Bhagya Bantwal <bbantwal () sourcefire com> wrote:
>
> Can you provide with a sample pcap for this issue?
>
> -B
> On Fri, Jun 24, 2011 at 7:29 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:
> For my project, I need to generate some dummy attack traffic, so I decided to use an old Windows XP system 
> (unpatched) and ran a few commercial/open source exploits on it. While most of the attempts were flagged by Snort, 
> two in particular were entirely missed. Ironically, they were also successful and returned a shell to the system
>
> Apache Chunked Encoding - A very old flaw in Apache 1.3.19 (I am running that old version just for the sake of 
> vulnerabilties). OSVDb entry - http://osvdb.org/show/osvdb/838
> My snort.conf has following entries for gzip related part 
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
> preprocessor http_inspect_server: server default \
>     chunk_length 500000 \
>     server_flow_depth 0 \
>     client_flow_depth 0 \
>     post_depth 65495 \
>     oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     ports { 80 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 
> 8118 8123 8180 8243 8280 8888 9090 9091 9443 9999 11371 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     inspect_gzip \
>     normalize_utf \
>     unlimited_decompress \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     base36 no \
>     directory no \
>     double_decode no \
>     iis_backslash no \
>     iis_delimiter no \
>     iis_unicode no \
>     multi_slash no \
>     utf_8 no \
>     u_encode yes \
>     webroot no
>
> MS04-007 - OSVDB entry - http://osvdb.org/show/osvdb/3902
>
> All the snort signatures that are mentioned in the OSVDB entries are enabled and I have restarted snort after 
> enabling the signatures. However, the successful attempts are not being flagged.
> For apache chunked encosing I used metasploit and a commercial product while for MS04-007 I used the commercial 
> product to attack through port 445
>
> Any ideas
>
> Dheeraj
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense..
> http://p.sf.net/sfu/splunk-d2d-c1
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
>
>
>
> -- 
> To iterate is human.To recurse, divine!
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation