Snort mailing list archives
Trying to use snort with TALOS-2016-0219
From: Yuri Niyazov <yuri () academia edu>
Date: Fri, 25 Nov 2016 19:41:03 -0800
Hi everyone, Snort newbie here. I am trying to detect the latest memcache vulnerabilities, http://www.talosintelligence.com/reports/TALOS-2016-0219/ Output of snort -V, as requested in the instructions for posting reports to this list: ,,_ -*> Snort! <*- o" )~ Version 2.9.8.3 GRE (Build 383) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact# team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.5.3 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.8 So, I have a packet capture that is the proof-of-concept exploit (code copy-pasted from the vulnerability announcement). That packet capture is attached. It is detected when I run "snort -c etc/works.conf -r /var/log/snort/memcachedump.1480128874", I get the text below in /var/log/snort/alert: [**] [3:40474:2] SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 11/26-02:54:44.674785 162.243.66.145:57162 -> 162.243.91.201:11211 TCP TTL:63 TOS:0x0 ID:47627 IpLen:20 DgmLen:1100 DF ***AP*** Seq: 0xF7EF58B0 Ack: 0x1E0819C9 Win: 0x1C9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 3334822 5964160 [Xref => http://www.talosintelligence.com/reports/TALOS-2016-0219] However, when I run "snort -c etc/broken.conf -r /var/log/snort/memcachedump.1480128874" the alert doesn't happen The difference between works.conf and broken.conf is that broken.conf includes the stream5_global, stream5_tcp and stream5_udp preprocessors as they are configured in the latest downloadable ruleset (these aren't the files I will end up using, these are just the smallest difference I was able to isolate between "working" and "not working"). Now, if I understand things correctly, the streaming preprocessor provides important functionality that shouldn't just be turned off blindly, so, the question is: what in that preprocessor configuration could be masking the memcached exploit?
Attachment:
memcachedump.1480128874
Description:
Attachment:
works.conf
Description:
Attachment:
broken.conf
Description:
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Trying to use snort with TALOS-2016-0219 Yuri Niyazov (Nov 25)
- Re: Trying to use snort with TALOS-2016-0219 Joel Esler (jesler) (Nov 28)
- Re: Trying to use snort with TALOS-2016-0219 Patrick Mullen (Nov 28)
- Re: Trying to use snort with TALOS-2016-0219 Yuri Niyazov (Nov 28)
- Re: Trying to use snort with TALOS-2016-0219 Patrick Mullen (Nov 29)
- Re: Trying to use snort with TALOS-2016-0219 Joel Esler (jesler) (Nov 29)
- Re: Trying to use snort with TALOS-2016-0219 Patrick Mullen (Nov 28)
- Re: Trying to use snort with TALOS-2016-0219 Joel Esler (jesler) (Nov 28)