RE: [Snort-sigs] Outbound string contains c m d.exe, but from whe re?

["Cessna, Michael" <MCessna () rtm com>]

Gregory,
Since the source of your packets is the same (209.128.247:%PORT%)...What is
that ip? Is it one of your ip's? Also I have seen this rule triggered quite
a lot with Exchange Web Mail. Do you have Web Mail Servers on your Net? My
snort gets really pissed off whenever I read my snort mail over the web!
Mike

-----Original Message-----
From: Noller, Gregory [mailto:Noller2G () kochind com]
Sent: Thursday, January 24, 2002 10:17 AM
To: snort-sigs () lists sourceforge net;
'snort-users () lists sourceforge net'
Subject: [Snort-sigs] Outbound string contains c m d.exe, but from
where?


Oh great wizards of snort....are any of you seeing outbound c m d . e x e
where it ought not to be?


I am seeing the following string in some infrequent packets exiting my nat
router that sits in front of my outbound proxy array:

> From Demarc:

WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2049  > 63.211.210.20
:80 

And the payload:

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0

pient



------_=_NextPart_000_01C1A4A9.A9555B3A
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Message-ID: <000028f11612$00006023$00001ac7@>
From: JJNSYMWLY () imailbox com
Subject: For The Price Of A Cup Of Coffee... 6855
Date: Mon, 21 Jan 2002 06:30:13 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-MS-Embedded-Report: 
Content-Type: text/plain; 
 charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

 =20
(remainder of the email message deleted for brevity)

The payload always contains the same first line, then an email message.

Another one (they are always different):

WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2366  > 63.211.210.20
:80 

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0

r () msn com>
RCPT TO:<someone at my netowrk>
DATA
Received: from lrkxf.msn.com (burton-2.net.excite.com [199.172.146.149]) by
adsl.pacbell.neet with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2653.13)
.id DPA4KJQ6; Thu, 24 Jan 2002 01:46:50 -0800
From: 101054br () msn com
To: lke () yahoo com
Reply-To: gwennduane3 () altavista com
Subject: Don't suffer in debt any more, info inside.
[pv3qp]
Content-type: text/html; charset=ISO-8859-1

This one has no email with it, and goes to a different destination address:


WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:6777  > 63.240.26.86
:80 

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 1.0
HTTP/1.0
Via: 1.0 PROXY4, 1.0 PROXY1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; 04162001;
Q312461)
Host: 63.240.26.86
Accept: */*
Accept-Language: en-us

As these are outbound, outside my proxy and nat router, I cannot determine
where they are coming from inside my network.  So being real smart like I
am, I set up another snort box inside my ProxyArray watching all traffic
passing through the proxy (proxies are configured for outbound only and
hardened) so as to catch the outbound string and see the real source
address.

Bingo, this morning I see outbound traffic (above three packets) and go
check my inside snort, nothing.  I test it and the inside snort works fine
catching anything in any direction or network that contains c m d . e x e
(I've added spaces so as to not set off any alarms you may have in place).
These packets for all the world are not originating inside my proxies, but
contain mail destined to or from users on my network.  It all happens on
port 80, not 25, so it's not an smtp thing.

See below for how I'm configured...

Thanks Marty, for this great tool.



Here is how I start snort from /etc/init.d/snortd (start/stop)

/usr/local/snort/bin/snort -D -I -i eth1 -o -l /usr/local/snort/logs -c
/usr/local/snort/bin/snort.conf

Here is my snort.conf:

var HOME_NET
[net.209.128.0/24,net.209.129.0/24,net.209.160.0/24,net.184.244.0/24,net.168
.11.0/24,net.94.207.66/32,net.15.7.5/32]

var EXTERNAL_NET !$HOME_NET

var SMTP any

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET

preprocessor frag2

preprocessor stream4: detect_scans

preprocessor stream4_reassemble

preprocessor http_decode: 80 -unicode -cginull

preprocessor rpc_decode: 111

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: $DNS_SERVERS

output database: log, mysql, user=(obfuscated) password=(obfuscated)
dbname=(obfuscated) host=(obfuscated)

include classification.config

(the only include that matters to this question:  include web-iis.rules)


Here is my rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"WEB-IIS outbound c m d.exe
access"; flags: A+; content:"c m d.exe"; nocase;)



Gregory Noller
Senior IT Security Technologist
Technology Risk Services
Koch Business Solutions LP
Wichita, Kansas

(316) 828-7725
(316) 214-7057 (Cellular)

        



_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs