Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort-2.8.0 losing port numbers on some alerts?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 23 Nov 2007 14:01:52 +1300
Hi there

I have just installed snort-2.8.0 under CentOS5 at home, with nearly
everything enabled, and it's triggering on the rule:

alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe
response overflow attempt"; content:"|05|"; depth:1;
byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative;
content:!"|3B|"; within:512; reference:bugtraq,9407;
reference:cve,2003-0903; reference:nessus,11990;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx;
classtype:attempted-user; sid:2329; rev:7;)

The problem is two-fold. For starters, sometimes the syslog and mysql
events generated *do not contain port numbers!* e.g. syslog reports

 Nov 22 21:59:36 srv snort[28832]: [1:2329:7] MS-SQL probe response
overflow attempt [Classification: Attempted User Privilege Gain]
[Priority: 1]: <eth0> {UDP} 1x.y.z.3 -> 1x.y.z.6

where's the ":YYYY"?

sometimes in the same 1 sec period the same rule triggers again - with
the port numbers

Nov 22 21:59:36 srv snort[28832]: [1:2329:7] MS-SQL probe response
overflow attempt [Classification: Attempted User Privilege Gain]
[Priority: 1]: <eth0> {UDP} 1x.y.z.3:2049 -> 1x.y.z.6:1023

And secondly, the two boxes mentioned are Linux boxes running NFS
between them - certainly not MS-SQL.

However, I think my first point is the one that implies a bug in snort.
An "alert udp" rule should NEVER be able to generate an event that
doesn't contain port numbers - I don't think it's possible to generate
UDP packets without port numbers ;-)

This looks like a bug to me rather than a rule FP?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: