Snort mailing list archives
Re: packet content and signature unmatch
From: Eric Hines <eric.hines () appliedwatch com>
Date: Mon, 17 Jul 2006 08:45:16 -0500
In the case of this signature, which was written apparently for the SSHUTUPTHEO exploit from Gobbles, their is a boundary condition in OpenSSH that when exploited will open a shell on the remote host, execute commands, etc.
When this occurs, it is not an encrypted SSH tunnel.In the case of this signature, the Gobbles exploit opens a shell on the remote host and then promptly executes the command uname -a.
You see it here below: *GOBBLE* OpenBSD openbsd 3.1 GENERIC#59 i386 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)First the exploit echoes the string "*GOBBLE*" back to the attacker than it promptly executes "uname -a ; id". This is all done in clear text.
This is how Snort will alert on the use of uname. However, you'll find that this is a pretty generic signature, meaning their are quite a few SSHD exploits that I can think of that immediately issue the command uname -a, or, its pretty simple to take an SSH exploit and add uname -a to it.
As for why it fired on your host? Can you send the packet to me or the list? I'd like to see the payload.
HTH
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eric.hines () appliedwatch com
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
hchlai () netscape net wrote:
Hi Snorters, I have 2 questions regarding sid:1811/etc/snort/rules/attack-responses.rules:alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:9;First of all, since ssh sessions are encrypted, I should never see a packet content of "uname" in non-encrypted format. Am I missing something fundamental in here or it's just a Monday morning? Secondly, this signature is recorded in 2 packets by BASE, but neither packets nor their combine contents contain "uname" in it, so what exactly triggered this signature? Many thanks!I am running BASE 1.2.5 and Snort 2.4.5 HinSuk------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
eric.hines.vcf
Description:
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- packet content and signature unmatch hchlai (Jul 17)
- Re: packet content and signature unmatch Eric Hines (Jul 17)
- Re: packet content and signature unmatch pauls (Jul 17)