Re: Trying to use snort with TALOS-2016-0219

[Patrick Mullen <pmullen () sourcefire com>]

Yuri,

By "asymmetric," Joel means your pcap is broken.  :)  Your "works" config
modified snort such that it ignores the fact that it can only see half of
the traffic.  Please note that while this configuration means you did alert
in this situation, in the long run it opens you up to evasions and other
issues so it's not an ideal solution.

I suspect that when you created your pcap, you probably did a filter like
"dst host 162.243.66.145 and port 11211", which filtered out return traffic
from that host.  If you instead used the filter "host 162.243.66.145 and
port 11211", the host filter would be bidirectional (the ip could be the
dst or src) so you should see the entire set of traffic and snort should
alert for you without needing to change the configuration.


Thanks,

~Patrick


On Mon, Nov 28, 2016 at 11:17 AM, Joel Esler (jesler) <jesler () cisco com>
wrote:

> Your traffic is “asymmetric”.  This is why turning off stream makes it
> “work”.
>
> Snort needs both sides of the traffic flow in order to process the traffic
> correctly.
>
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler () cisco com
>
>
>
>
>
>
> On Nov 25, 2016, at 10:41 PM, Yuri Niyazov <yuri () academia edu> wrote:
>
> Hi everyone,
>
>   Snort newbie here. I am trying to detect the latest memcache
> vulnerabilities, http://www.talosintelligence.com/reports/TALOS-2016-0219/
>
> Output of snort -V, as requested in the instructions for posting reports
> to this list:
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.8.3 GRE (Build 383)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.5.3
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
> So, I have a packet capture that is the proof-of-concept exploit (code
> copy-pasted from the vulnerability announcement). That packet capture is
> attached. It is detected when I run "snort -c etc/works.conf -r
> /var/log/snort/memcachedump.1480128874", I get the text below in
> /var/log/snort/alert:
>
> [**] [3:40474:2] SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt
> [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> 11/26-02:54:44.674785 162.243.66.145:57162 -> 162.243.91.201:11211
> TCP TTL:63 TOS:0x0 ID:47627 IpLen:20 DgmLen:1100 DF
> ***AP*** Seq: 0xF7EF58B0  Ack: 0x1E0819C9  Win: 0x1C9  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 3334822 5964160
> [Xref => http://www.talosintelligence.com/reports/TALOS-2016-0219]
>
> However, when I run "snort -c etc/broken.conf -r
> /var/log/snort/memcachedump.1480128874" the alert doesn't happen
>
> The difference between works.conf and broken.conf is that broken.conf
> includes the stream5_global, stream5_tcp and stream5_udp preprocessors as
> they are configured in the latest downloadable ruleset (these aren't the
> files I will end up using, these are just the smallest difference I was
> able to isolate between "working" and "not working").
>
> Now, if I understand things correctly, the streaming preprocessor provides
> important functionality that shouldn't just be turned off blindly, so, the
> question is: what in that preprocessor configuration could be masking the
> memcached exploit?
-- 
Patrick Mullen
Response Research Manager
Cisco TALOS

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!