Snort mailing list archives
Re: SHELLCODE_PORTS & double negatives.
From: "Richmond, Ian" <RichmondIan () bfusa com>
Date: Thu, 12 Jul 2012 13:19:33 -0500
Another item to add to this question.. I have noticed, using the default config of "portvar SHELLCODE_PORTS !80" as is the default shipped with snort still triggers rules like : alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 inc ecx NOOP";content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";classtype:shellcode-detect;sid:1394;rev:31) ..on port 80. Ran a simple test to 'www.google.com/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' and got an event: (highly edited) 2012-07-12 12:43:12 - SHELLCODE x86 inc ecx NOOP DATA: '<!DOCTYPE html> <html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}} </style> <a href=//www.google.com/><img src=//www.google.com/images/errors/logo_sm.gif alt=Google></a> <p><b>404.</b> <ins>Thats an error.</ins> <p>The requested URL <code>/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</code> was not found on this server. <ins>Thats all we know.</ins>' Is anyone else seeing "$SHELLCODE_PORTS" rules trigger on port 80 when they should not be? Does SHELLCODE_PORTS have an internal (to the snort binary) default that's overriding the config file? Is snort applying portvar SHELLCODE_PORTS at all? If anyone is in the position to test this I would love to hear if you're seeing the same results. Thank you very much. From: Richmond, Ian [mailto:RichmondIan () bfusa com] Sent: Tuesday, July 10, 2012 10:03 AM To: Snort-users () lists sourceforge net Subject: [Snort-users] SHELLCODE_PORTS & double negatives. Can someone point out the error of my ways concerning SHELLCODE_PORTS please. The default config for this per the /etc/snort.conf example file is "portvar SHELLCODE_PORTS !80" I would like to add another port to ignore. My initial reaction was to change this to "portvar SHELLCODE_PORTS !80,!x" This apparently is wrong and related rules still triggered on this port "x". So I looked through the docs and found this blurb: NOTE: The behavior for negating IP, IP lists, and CIDR blocks has changed! This new behavior is enabled by default regardless of whether or not IPv6 support is enabled. See the IP Variables and IP Lists section below for more information. As well as this: IPs, IP lists, and CIDR blocks may be negated with '!'. Negation is handled differently compared with Snort versions 2.7.x and earlier. Previously, each element in a list was logically OR'ed together. IP lists now OR non-negated elements and AND the result with the OR'ed negated elements. Which made me think that the general format should be [a,b,c],![x,y,z]. So I tried this format "portvar SHELLCODE_PORTS ![80,x]". Snort loaded the config happily and still triggered on rules using SHELLCODE_PORTS and port x. Is this a known bug/feature? Am I doing it wrong? How do I negate two ports from SHELLCODE_PORTS properly? Thank you. Ian
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SHELLCODE_PORTS & double negatives. Richmond, Ian (Jul 10)
- Re: SHELLCODE_PORTS & double negatives. Richmond, Ian (Jul 12)