Re: sidestep

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 05/06/03

  • Next message: Randy Taylor: "Re: Polymorphic Shellcode detection" 
    Date: Tue, 06 May 2003 17:21:51 -0400
To: Jill Tovey <jill.tovey@bigbluedoor.com>, focus-ids@securityfocus.com

    Snort 1.8.7 is hideously out of date (not to mention the huge buffer
    overflow vulnerability in the rpc decoder), Snort 2.0 is the current state
    of the art.

    http://www.snort.org/dl/snort-2.0.0.tar.gz

    That DNS evasion you refer to was just a rule issue that was fixed in the
    spring of 2001, the "new" rule should fire just fine.

         -Marty

    On 5/6/03 2:45 AM, "Jill Tovey" <jill.tovey@bigbluedoor.com> wrote:

    > I am using Snort 1.8.7 which has the rev:1 SID 1616.
    >
    > I might try upgrading this later for interest, however my project has
    > been handed in now and so there is not much I can do about it anyway :-)
    >
    >
    > On Mon, 2003-05-05 at 14:38, Judy Novak wrote:
    >> Jill,
    >>
    >> I don't know what version of Snort you are running or what Snort rule set
    >> you are using. If you use version 2.0 with the default rule set
    >> (specifically includes file dns.rules with SID 1616), it should trigger.
    >>
    >> I ran sidestep DNS evade traffic using a Snort a default configuration
    >> file which includes the following rule in the dns.rules file:
    >>
    >> alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt";
    >> content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase;
    >> offset:12; reference:nessus,10028; reference:arachnids,278;
    >> classtype:attempted-recon; sid:1616; rev:4;)
    >>
    >> And received this alert:
    >>
    >> 05/05-04:08:21.989255 [**] [1:1616:4] DNS named version attempt [**]
    >> [Classification: Attempted Information Leak] [Priority: 2] {UDP}
    >> 10.2.3.28:1045 -> 10.2.3.20:53
    >>
    >> Judy Novak
    >>
    >> On Saturday 03 May 2003 05:52, Jill Tovey wrote:
    >>> Hi all,
    >>>
    >>> For those of you that were interested, Snort did not detect the DNS
    >>> version query from Sidestep.
    >>>
    >>> Kind Regards,
    >>>
    >>> Jill Tovey
    >>>
    >>>
    >>>
    >>> ---------------------------------------------------------------------------
    >>> ---- Can you respond to attacks based on attack type, severity, source IP,
    >>> destination IP, number of times attacked, or the time of day an attack
    >>> occurs? No?
    >>> No wonder why you're swamped with false positives!
    >>> Download a free 15-day trial of Border Guard and watch your false
    >>> positives disappear.
    >>>
    >>> http://www.securityfocus.com/StillSecure-focus-ids2
    >>> ---------------------------------------------------------------------------
    >>> ----
    >>
    >>
    >>
    >
    >
    >
    >
    ------------------------------------------------------------------------------>
    -
    > Can you respond to attacks based on attack type, severity, source IP,
    > destination IP, number of times attacked, or the time of day an attack
    > occurs? No?
    > No wonder why you're swamped with false positives!
    > Download a free 15-day trial of Border Guard and watch your false
    > positives disappear.
    >
    > http://www.securityfocus.com/StillSecure-focus-ids2
    >
    ------------------------------------------------------------------------------>
    -
    >
    > 

    -- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No? 
No wonder why you're swamped with false positives! 
Download a free 15-day trial of Border Guard and watch your false
positives disappear.
http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------
  • Next message: Randy Taylor: "Re: Polymorphic Shellcode detection"

    Relevant Pages

    • Re: sidestep
      ... I am using Snort 1.8.7 which has the rev:1 SID 1616. ... If you use version 2.0 with the default rule set ... >> No wonder why you're swamped with false positives! ... Can you respond to attacks based on attack type, severity, source IP, ...
      (Focus-IDS)
    • Re: IDS Project
      ... I'm doing the some test on the NFR and on the SNORT systems. ... the IDS have raised the correct type of alert. ... When I've reached the blinding point (example 1% of attack lost), ...
      (Focus-IDS)
    • Re: [Full-Disclosure] IDS Signatures
      ... do take a look at snort. ... firewall, so that when snort sees as attack, i ... >> a database of intrusion signatures using MySQL database. ... >> algorithm be appropriate for pattern matching in IDS?) ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] IDS Signatures
      ... > firewall, so that when snort sees as attack, i ... take a look at Snortsam. ... had script, like you have now, running on Snort and a Checkpoint ...
      (Full-Disclosure)
    • Re: Snort + RedHat v7.2 - Back to Basics
      ... >> To date, I've convinced snort to monitor eth1, but I've only managed to ... > but the attack is against the external address. ... No sense in running snort just to pickup portscans. ...
      (comp.os.linux.security)
    • Quantcast