Re: SHELLCODE_PORTS & double negatives.

["Richmond, Ian" <RichmondIan () bfusa com>]

Another item to add to this question..
I have noticed, using the default config of "portvar SHELLCODE_PORTS !80" as is the default shipped with snort still 
triggers rules like :

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 inc ecx 
NOOP";content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";classtype:shellcode-detect;sid:1394;rev:31)

..on port 80.

Ran a simple test to 'www.google.com/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' and got an event:

(highly edited)
2012-07-12 12:43:12 - SHELLCODE x86 inc ecx NOOP
DATA:
'<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px 
arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 
0;max-width:390px;min-height:180px;padding:30px 0 15px}* > 
body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 
22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and 
(max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}
  </style>
  <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a>
  <p><b>404.</b> <ins>Thats an error.</ins>
  <p>The requested URL <code>/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</code> was not found on this server.  
<ins>Thats all we know.</ins>'


Is anyone else seeing "$SHELLCODE_PORTS" rules trigger on port 80 when they should not be?
Does SHELLCODE_PORTS have an internal (to the snort binary) default that's overriding the config file?
Is snort applying portvar SHELLCODE_PORTS at all?


If anyone is in the position to test this I would love to hear if you're seeing the same results.
Thank you very much.


From: Richmond, Ian [mailto:RichmondIan () bfusa com]
Sent: Tuesday, July 10, 2012 10:03 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] SHELLCODE_PORTS & double negatives.

Can someone point out the error of my ways concerning SHELLCODE_PORTS please.
The default config for this per the /etc/snort.conf example file is "portvar SHELLCODE_PORTS !80"
I would like to add another port to ignore. My initial reaction was to change this to "portvar SHELLCODE_PORTS !80,!x"
This apparently is wrong and related rules still triggered on this port "x".

So I looked through the docs and found this blurb:
NOTE: The behavior for negating IP, IP lists, and CIDR blocks has changed!
This new behavior is enabled by default regardless of whether or not IPv6
support is enabled.  See the IP Variables and IP Lists section below for
more information.

As well as this:
IPs, IP lists, and CIDR blocks may be negated with '!'.  Negation is handled
differently compared with Snort versions 2.7.x and earlier.  Previously, each
element in a list was logically OR'ed together.  IP lists now OR non-negated
elements and AND the result with the OR'ed negated elements.

Which made me think that the general format should be [a,b,c],![x,y,z].
So I tried this format "portvar SHELLCODE_PORTS ![80,x]".
Snort loaded the config happily and still triggered on rules using SHELLCODE_PORTS and port x.

Is this a known bug/feature? Am I doing it wrong?
How do I negate two ports from  SHELLCODE_PORTS properly?
Thank you.


Ian

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!