CVE-2012-5076 and CVE-2012-1723 Rules

[Snort Troubleshooting <snort () outlook com>]

Hello,

 

Today I was testing some
blackhole websites against Snort in my test lab to validate some traffic, in which Snort using the VRT rules 
(subscriber rules) did not alert on
anything. However, the anti-virus installed on the test machine detected that
there are two Java exploit files have been downloaded and happily residing in /AppData/Local/Temp.
The anti-virus (MSE) reported the following:

 1.      
Exploit: Java/CVE-2012-5076.BBW - - - > KPOWd.class

2.      
Exploit: Java/CVE-2012-1723!generic 
- - - > kvjMojWwL.class

 

At this point I suspected
that my Snort configurations/rules may be wrong. After confirming that everything
is fine, I went ahead and downloaded ET (open-source) rules and stuck them in
there. Then I browsed to the blackhole website again, and Snort fired on two ET
Rules, namely, sid:2015724, and sid:2015725. Unfortunately, the msg of these two alerts
are not fully descriptive and there are no references included in the alerts.

 

After that, I searched
through my Snort rules that covers both CVE’s mentioned
above, and they are included and enabled in my snort.rules (PulledPork, -I
balanced). I found these two (along there state: enables, disabled):

 

1.      
CVE-2012-5076:

-         
sid: 24026 (enabled)

-         
sid: 20622 (disabled) 

2.      
CVE-2012-1723:

-         
sid: 24202 (enabled)

-         
sid: 24201 (enabled)

-         
sid: 23277 (enabled)

-         
sid: 23276 (enabled)

-         
sid: 23275 (enabled)

-         
sid: 23274 (enabled)

-         
sid: 23273 (enabled)

 

All of the above use
$FILE_DATA_PORTS, which in my case did not include the port that the blackhole
website is using. So I added the port to $FILE_DATA_PORTS and retested again,
but Snort rules (VRT) did not fire, yet ET rules did. Obviously, the signatures
(content, pcre, etc.) are different but I thought they still would alert as
signatures can be different  yet catch
the same malicious traffic.  I was not
able to test against enabling the “security” policy in PulledPork, if that
would enable rules to catch the said traffic.

 

I got a fairly good
experience running Snort, though, I’m still learning my way through writing
proper rules. I will try to examine the pcaps and fiddler session data in the
upcoming days and update. If anyone can shed some light through this, it would
be appreciated.

 

Thanks.

YM

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!