Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Exploits not being reported

From: Arvind Clemente <arvind () controlnet co in>
Date: Fri, 30 Nov 2001 17:44:11 +0530
Hi All,
    I have snort box up and running and is logging evrything to mysql
database, It can detect portscans in NMAP, Nimda virusus etc. But it
could not detect wu-ftpd exploit and rpc-statd exploit . Also it did not
detect portscans done with LANGuard network scanner running on NT.
Following is the details.

I have my snort box running on a hub and have created 3 nodes in the
network to expirement with the same. two  nodes are having Redhat 6.2,
and one node is on windows NT.  I have loaded LANGuard Network scanner
on my NT machine and when ever  i scan the ports on the other two linux
machines it does not report. My first step to diagnose this problem was
to port scan my snort box itself , with this also it did not report. My
next step i used NMAP for portscanning and it reported. Therfore config
within snort is proper (i presume)

I have with me the rpc-statd exploit and the wu-ftpd exploit where both
gives root access to the machine. when ever i try to run this exploit
snort box detects it as
ATTACK RESPONSES id check returned root
if you analyse the payload it says

length = 52

       000 : 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D
uid=0(root) gid=
       010 : 30 28 72 6F 6F 74 29 20 65 67 69 64 3D 35 30 28   0(root)
egid=50(
       020 : 66 74 70 29 20 67 72 6F 75 70 73 3D 35 30 28 66   ftp)
groups=50(f
       030 : 74 70 29
0A
tp).

that means snort will report this error whenever it sees the above. To
confirm i telneted to the redhat machine got access as root and ran id
at the prompt.,and sure enough it detected it.

Can anybody throw some light on this. As to why it could not detect this
alert. Do i need to add arule to the rule file etc......This attack was
targeted on my linux box and the black-hat planted TORnkit, but luckly i
detected it (without snort---cause it wouldnot allow me to log in with
my id) and disconnected this m/c of the net. Now i want to use snort as
my IDS.

I am running snort-1.8.2 and latest snortrules

Thanks in Advance

rgds

Arvind Clemente



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: