Snort mailing list archives
Exploits not being reported
From: Arvind Clemente <arvind () controlnet co in>
Date: Fri, 30 Nov 2001 17:44:11 +0530
Hi All, I have snort box up and running and is logging evrything to mysql database, It can detect portscans in NMAP, Nimda virusus etc. But it could not detect wu-ftpd exploit and rpc-statd exploit . Also it did not detect portscans done with LANGuard network scanner running on NT. Following is the details. I have my snort box running on a hub and have created 3 nodes in the network to expirement with the same. two nodes are having Redhat 6.2, and one node is on windows NT. I have loaded LANGuard Network scanner on my NT machine and when ever i scan the ports on the other two linux machines it does not report. My first step to diagnose this problem was to port scan my snort box itself , with this also it did not report. My next step i used NMAP for portscanning and it reported. Therfore config within snort is proper (i presume) I have with me the rpc-statd exploit and the wu-ftpd exploit where both gives root access to the machine. when ever i try to run this exploit snort box detects it as ATTACK RESPONSES id check returned root if you analyse the payload it says length = 52 000 : 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid= 010 : 30 28 72 6F 6F 74 29 20 65 67 69 64 3D 35 30 28 0(root) egid=50( 020 : 66 74 70 29 20 67 72 6F 75 70 73 3D 35 30 28 66 ftp) groups=50(f 030 : 74 70 29 0A tp). that means snort will report this error whenever it sees the above. To confirm i telneted to the redhat machine got access as root and ran id at the prompt.,and sure enough it detected it. Can anybody throw some light on this. As to why it could not detect this alert. Do i need to add arule to the rule file etc......This attack was targeted on my linux box and the black-hat planted TORnkit, but luckly i detected it (without snort---cause it wouldnot allow me to log in with my id) and disconnected this m/c of the net. Now i want to use snort as my IDS. I am running snort-1.8.2 and latest snortrules Thanks in Advance rgds Arvind Clemente _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Exploits not being reported Arvind Clemente (Nov 30)
- Re: Exploits not being reported Brian (Nov 30)