Snort mailing list archives
Re: Snort 3.0 is not detecting shell code attacks
From: Chankit Dureja <chankit.dureja () dcmail ca>
Date: Wed, 19 Jun 2019 15:13:00 +0000
Hello all, I am working on a project where we are implementing SNORT as a detection system. Does anyone know what all information would we need from our networks team to be able to implement it? Like router/switches info? Thanks, Chank ________________________________ From: Chankit Dureja Sent: 19 June 2019 11:10:11 To: João Pedro; Russ Combs (rucombs); Dorian ROSSE; snort-users-bounces () lists snort org Subject: Re: [Snort-users] Snort 3.0 is not detecting shell code attacks Hello all, I am working on a project where we are implementing SNORT as a detection system. Does anyone know what all information would we need from our networks team to be able to implement it? Like router/switches info? Thanks, Chank ________________________________ From: Snort-users <snort-users-bounces () lists snort org> on behalf of Dorian ROSSE via Snort-users <snort-users () lists snort org> Sent: 17 June 2019 08:48 To: João Pedro; Russ Combs (rucombs); snort-users () lists snort org Subject: Re: [Snort-users] Snort 3.0 is not detecting shell code attacks It web pages explain how to rules json attacks : https://idstools.readthedocs.io/en/latest/tools/u2json.html u2json - A unified2 to JSON converter — idstools 0.6.3 documentation - idstools.readthedocs.io<https://idstools.readthedocs.io/en/latest/tools/u2json.html> idstools.readthedocs.io The above command will operate like barnyard, reading all unified2.log files in /var/log/snort, waiting for new unified2 records when the end of the last file is reached. Regards. Dorian ROSSE. Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10 ________________________________ De : João Pedro <oladj () live com pt> Envoyé : Monday, June 17, 2019 2:23:57 PM À : Russ Combs (rucombs); Dorian ROSSE; snort-users () lists snort org Objet : Re: [Snort-users] Snort 3.0 is not detecting shell code attacks OMG! It worked!!!! I added '--lua "search_engine.detect_raw_tcp = true"' to my command and worked! Thank you so much :) Às 12:56 de 17/06/19, Russ Combs (rucombs) escreveu: You need to add –k none --lua "search_engine.detect_raw_tcp = true" to your command line. Doing so gets some hits on 1394 and 648. Raw tcp detection is required by those rules and the checksum issue is indicated by the shutdown stats without –k none: codec total: 194402 (100.000%) discards: 85883 ( 44.178%) ipv4 bad_checksum: 85831 An update will be out soon that removes the requirement for the raw tcp setting. From: João Pedro <oladj () live com pt<mailto:oladj () live com pt>> Date: Monday, June 17, 2019 at 7:29 AM To: Dorian ROSSE <dorianbrice () hotmail fr<mailto:dorianbrice () hotmail fr>>, "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort org<mailto:snort-users () lists snort org>>, Sourcefire Helpdesk <rucombs () cisco com<mailto:rucombs () cisco com>> Subject: Re: [Snort-users] Snort 3.0 is not detecting shell code attacks Thanks for your help. I think the community rules are enough for what I want to test. For example, the rule below seems enough to trigger an alert, but does not make sense to me why is not triggered... * alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17; There are other rules, non-related to shell code, that are triggered, so Snort seems working. I already tested the rule I mentioned separately, but didn't work either. Às 12:14 de 17/06/19, Dorian ROSSE escreveu: Maybe community rules doesn’t enough against It attacks ? Provenance : Courrier<https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10 ________________________________ De : Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> de la part de João Pedro via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Envoyé : Monday, June 17, 2019 12:51:01 PM À : snort-users () lists snort org<mailto:snort-users () lists snort org>; Russ Combs (rucombs) Objet : Re: [Snort-users] Snort 3.0 is not detecting shell code attacks Is also possible to check my config files and .pcap file in: https://we.tl/t-CL0SotgzlU Às 11:30 de 17/06/19, João Pedro via Snort-users escreveu: I send those files enclosed in this email. It's possible to check now my problem easily. I run this command every time I want to test Snort: * snort -r myfile.pcapng -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/snort3-community.rules -A alert_json > alerts.json I'm expecting the rule "1394" and "648" to be triggered, but is not working... In .pcap file is possible to see buffer overflow attacks tested by me (e.g. check the filter "tcp.dstport==50096 or tcp.dstport==50098"). What is the problem? Às 02:26 de 17/06/19, Russ Combs (rucombs) escreveu: Please send pcap, rules, config so we can help you out. On 6/16/19, 7:39 PM, "Snort-users on behalf of João Pedro via Snort-users" <snort-users-bounces () lists snort org on behalf of snort-users () lists snort org><mailto:snort-users-bounces@lists.snort.orgonbehalfofsnort-users () lists snort org> wrote: I'm testing snort 3.0 with Community rules. Besides triggering alerts from port scans, it is not detecting Buffer Overflow attacks (.i.e. made with Metasploit). Is there a problem with the current rules in Snort 3.0? Should I activate/config something else? Ps: I'm testing Snort from .pcap files _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 16)
- <Possible follow-ups>
- Re: Snort 3.0 is not detecting shell code attacks Russ Combs (rucombs) via Snort-users (Jun 16)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Russ Combs (rucombs) via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 18)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 18)
- Message not available
- Re: Snort 3.0 is not detecting shell code attacks Chankit Dureja (Jun 19)
- Re: Snort 3.0 is not detecting shell code attacks João Pedro via Snort-users (Jun 17)
- Re: Snort 3.0 is not detecting shell code attacks Dorian ROSSE via Snort-users (Jun 17)