Snort mailing list archives

Re: packet content and signature unmatch

From: pauls () utdallas edu
Date: Mon, 17 Jul 2006 08:54:17 -0500

--On July 17, 2006 9:31:50 AM -0400 hchlai () netscape net wrote:

Hi Snorters,

 I have 2 questions regarding sid:1811

  /etc/snort/rules/attack-responses.rules:alert tcp $HOME_NET 22 ->
$EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit
uname"; flow:from_server,established; content:"uname";
reference:bugtraq,5093; reference:cve,2002-0390;
reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack;
sid:1811; rev:9;

  First of all, since ssh sessions are encrypted, I should never see a
packet content of "uname" in non-encrypted format. Am I missing
something fundamental in here or it's just a Monday morning?
  Secondly, this signature is recorded in 2 packets by BASE, but neither
packets nor their combine contents contain "uname" in it, so what
exactly triggered this signature? Many thanks!

When investigating the whys and wherefores of a rule's triggering, it's agood idea to first read the relevant exploit information -<http://www.securityfocus.com/bid/5093/discuss>

"It is possible for attackers to exploit the vulnerabilities byconstructing a malicious response. As this occurs before the authenticationprocess completes, it may be exploited by remote attackers without validcredentials. Successful exploitation may result in the execution ofshellcode or a denial of service."

As I'm sure you are aware, the challenge-response portion occurs beforeencryption has taken place, so you would indeed see the characters in thepacket.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: _bin
Description:


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

packet content and signature unmatch hchlai (Jul 17)
- Re: packet content and signature unmatch Eric Hines (Jul 17)
- Re: packet content and signature unmatch pauls (Jul 17)