Re: Belaboring the point of FPs

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 08/13/03

  • Next message: Giovanni Vigna: "Re: Linux/*nix open source IDS"
    Date: Tue, 12 Aug 2003 20:01:26 -0400
    To: Paul Schmehl <pauls@utdallas.edu>
    
    

    Hi Paul,

    Actually I wouldn't call those false positives, Snort did exactly what
    it was told to do. The concept of Snort's detection engine is very
    simple, it lets you ask questions about the decoded packets (and
    streams in later versions) and tells you when it sees the things you
    asked for. That rule could certainly be tighter but Snort is doing
    exactly what it was told to do. Reminds me of the old "Shooting
    yourself in the foot" programming languages pages like this one:

       
    http://noncorporeal.com/people/pathfinder/
    shoot_yourself_in_the_foot.html

    Snort is perfectly content to let you write rules which aren't
    effective in your environment, I've been saying for years that people
    need to put together rule sets for their specific environments. I was
    rather militant about it early on in Snort's history, back in early
    1999 Snort shipped with ~50 sample rules and you were supposed to write
    a set for your environment. That obviously didn't work very well
    because we have ~2000 rules today...

    Don't mean to be pedantic but Snort is rather literal minded about the
    rules you give it (kinda like C in that way).

          -Marty

    On Monday, August 11, 2003, at 10:29 PM, Paul Schmehl wrote:

    > Marty, I'm not picking on you, honest I'm not. I'm sitting here at
    > home, monitoring our DMZ snort, waiting for the RPC worm to hit, and
    > sure enough, I get a hit on sid 2123 - successful admin, cmd.exe. So
    > I think, yep, there's the first box to get infected.
    >
    > Here's rule 2123:
    > alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES
    > Microsoft cmd.exe banner"; flow:from_server,established;
    > content:"Microsoft Windows"; content:"(C) Copyright 1985-";
    > distance:0; content:"Microsoft Corp."; distance:0;
    > reference:nessus,11633; classtype:successful-admin; sid:2123; rev:1;)
    >
    > Looks good, but....analysis of the three packets shows very quickly
    > that it's an FP. The traffic is *from* our imap server on port 143
    > *to* an off campus site. Right direction, wrong alert. The payload?
    > A bugtraq post someone was reading about the worm. I recognized it
    > right away, because I had just read the same post myself. (No, the
    > off campus address was not me.)
    >
    > An anomaly? Not really. I see these *every* time some new exploit
    > shows up. List traffic triggers alerts, because the attack ports are
    > either not specified or by default include mail ports (POP3, IMAP and
    > SMTP). Now surely you will admit *those* are false positives?
    >
    > Here's the payload (yeah, I know, more alerts :( ):
    >
    > 000 : 2A 20 36 39 31 36 20 46 45 54 43 48 20 28 46 4C * 6916 FETCH
    > (FL
    > 010 : 41 47 53 20 28 5C 53 65 65 6E 29 20 42 4F 44 59 AGS (\Seen)
    > BODY
    > 020 : 5B 31 5D 20 7B 33 32 32 38 7D 0D 0A 0D 0A 6D 75 [1]
    > {3228}....mu
    > 030 : 6C 74 69 74 68 72 65 61 64 69 6E 67 20 26 6F 73 ltithreading
    > &os
    > 040 : 20 64 65 74 65 63 74 69 6F 6E 20 26 26 20 6D 61 detection &&
    > ma
    > 050 : 63 72 6F 73 20 73 75 70 70 6F 72 74 2E 2E 2E 0D cros
    > support....
    > 060 : 0A 0D 0A 65 78 70 6C 6F 69 74 20 63 61 6E 20 62 ...exploit can
    > b
    > 070 : 65 20 66 6F 75 6E 64 20 68 65 72 65 3A 20 20 77 e found here:
    > w
    > 080 : 77 77 2E 63 72 6F 75 6C 64 65 72 2E 63 6F 6D 2F
    > ww.croulder.com/
    > 090 : 68 61 78 6F 72 63 69 74 6F 73 2F 6B 61 68 74 32
    > haxorcitos/kaht2
    > 0a0 : 2E 7A 69 70 0D 0A 0D 0A 0D 0A 65 78 61 6D 70 6C
    > .zip......exampl
    > 0b0 : 65 3A 20 4B 61 48 54 2E 65 78 65 20 31 30 2E 31 e: KaHT.exe
    > 10.1
    > 0c0 : 30 2E 34 30 2E 30 20 31 30 2E 31 30 2E 32 35 35 0.40.0
    > 10.10.255
    > 0d0 : 2E 32 35 35 20 33 30 30 0D 0A 5F 5F 5F 5F 5F 5F .255
    > 300..______
    > 0e0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F
    > ________________
    > 0f0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F
    > ________________
    > 100 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 0D 0A 20 20 20 ___________..
    > 110 : 20 20 20 20 20 20 20 20 4B 41 48 54 20 49 49 20 KAHT II
    > 120 : 2D 20 4D 41 53 53 49 56 45 20 52 50 43 20 45 58 - MASSIVE RPC
    > EX
    > 130 : 50 4C 4F 49 54 0D 0A 20 20 44 43 4F 4D 20 52 50 PLOIT.. DCOM
    > RP
    > 140 : 43 20 65 78 70 6C 6F 69 74 2E 20 4D 6F 64 69 66 C exploit.
    > Modif
    > 150 : 69 65 64 20 62 79 20 61 54 34 72 40 33 77 64 65 ied by
    > aT4r@3wde
    > 160 : 73 69 67 6E 2E 65 73 0D 0A 20 20 23 68 61 78 6F sign.es..
    > #haxo
    > 170 : 72 63 69 74 6F 73 20 26 26 20 23 6C 6F 63 61 6C rcitos &&
    > #local
    > 180 : 68 6F 73 74 20 20 40 45 66 6E 65 74 20 4F 77 6E host @Efnet
    > Own
    > 190 : 7A 20 79 6F 75 21 21 21 0D 0A 5F 5F 5F 5F 5F 5F z
    > you!!!..______
    > 1a0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F
    > ________________
    > 1b0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F
    > ________________
    > 1c0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 0D 0A 0D 0A 20 5B __________....
    > [
    > 1d0 : 2B 5D 20 54 61 72 67 65 74 73 3A 20 31 30 2E 31 +] Targets:
    > 10.1
    > 1e0 : 30 2E 34 30 2E 30 2D 31 30 2E 31 30 2E 32 35 35
    > 0.40.0-10.10.255
    > 1f0 : 2E 32 35 35 20 77 69 74 68 20 33 30 30 20 54 68 .255 with 300
    > Th
    > 200 : 72 65 61 64 73 0D 0A 20 5B 2B 5D 20 53 63 61 6E reads.. [+]
    > Scan
    > 210 : 20 49 6E 20 50 72 6F 67 72 65 73 73 2E 2E 2E 0D In
    > Progress....
    > 220 : 0A 2D 20 43 6F 6E 6E 65 63 74 69 6E 67 20 74 6F .- Connecting
    > to
    > 230 : 20 31 30 2E 31 30 2E 34 30 2E 34 0D 0A 20 20 20 10.10.40.4..
    > 240 : 53 65 6E 64 69 6E 67 20 45 78 70 6C 6F 69 74 20 Sending Exploit
    > 250 : 74 6F 20 61 20 5B 57 69 6E 32 6B 5D 20 53 65 72 to a [Win2k]
    > Ser
    > 260 : 76 65 72 2E 2E 2E 2E 20 46 41 49 4C 45 44 0D 0A ver....
    > FAILED..
    > 270 : 20 20 2D 20 43 6F 6E 6E 65 63 74 69 6E 67 20 74 - Connecting
    > t
    > 280 : 6F 20 31 30 2E 31 30 2E 34 30 2E 39 0D 0A 20 20 o 10.10.40.9..
    > 290 : 20 53 65 6E 64 69 6E 67 20 45 78 70 6C 6F 69 74 Sending
    > Exploit
    > 2a0 : 20 74 6F 20 61 20 5B 57 69 6E 58 50 5D 20 53 65 to a [WinXP]
    > Se
    > 2b0 : 72 76 65 72 2E 2E 2E 2E 20 46 41 49 4C 45 44 0D rver....
    > FAILED.
    > 2c0 : 0A 20 20 2D 20 43 6F 6E 6E 65 63 74 69 6E 67 20 . - Connecting
    > 2d0 : 74 6F 20 31 30 2E 31 30 2E 34 30 2E 31 32 0D 0A to
    > 10.10.40.12..
    > 2e0 : 20 20 20 53 65 6E 64 69 6E 67 20 45 78 70 6C 6F Sending
    > Explo
    > 2f0 : 69 74 20 74 6F 20 61 20 5B 57 69 6E 58 50 5D 20 it to a [WinXP]
    > 300 : 53 65 72 76 65 72 2E 2E 2E 2E 20 46 41 49 4C 45 Server....
    > FAILE
    > 310 : 44 0D 0A 20 20 2D 20 43 6F 6E 6E 65 63 74 69 6E D.. -
    > Connectin
    > 320 : 67 20 74 6F 20 31 30 2E 31 30 2E 34 30 2E 32 31 g to
    > 10.10.40.21
    > 330 : 0D 0A 20 20 20 53 65 6E 64 69 6E 67 20 45 78 70 .. Sending
    > Exp
    > 340 : 6C 6F 69 74 20 74 6F 20 61 20 5B 57 69 6E 58 50 loit to a
    > [WinXP
    > 350 : 5D 20 53 65 72 76 65 72 2E 2E 2E 0D 0A 20 2D 20 ] Server..... -
    > 360 : 43 6F 6E 65 63 74 61 6E 64 6F 20 63 6F 6E 20 6C Conectando con
    > l
    > 370 : 61 20 53 68 65 6C 6C 20 52 65 6D 6F 74 61 2E 2E a Shell
    > Remota..
    > 380 : 2E 0D 0A 0D 0A 4D 69 63 72 6F 73 6F 66 74 20 57 .....Microsoft
    > W
    > 390 : 69 6E 64 6F 77 73 20 58 50 20 5B 56 65 72 73 69 indows XP
    > [Versi
    > 3a0 : 3D 46 33 6E 20 35 2E 31 2E 32 36 30 30 5D 0D 0A =F3n
    > 5.1.2600]..
    > 3b0 : 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 31 39 (C) Copyright
    > 19
    > 3c0 : 38 35 2D 32 30 30 31 20 4D 69 63 72 6F 73 6F 66 85-2001
    > Microsof
    > 3d0 : 74 20 43 6F 72 70 2E 0D 0A 0D 0A 43 3A 5C 57 49 t
    > Corp.....C:\WI
    > 3e0 : 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 3E 2E
    > NDOWS\system32>.
    > 3f0 : 0D 0A 20 2D 20 43 6F 6E 6E 65 63 74 69 6F 6E 20 .. - Connection
    > 400 : 43 6C 6F 73 65 64 0D 0A 20 2D 20 43 6F 6E 6E 65 Closed.. -
    > Conne
    > 410 : 63 74 69 6E 67 20 74 6F 20 31 30 2E 31 30 2E 34 cting to
    > 10.10.4
    > 420 : 30 2E 35 32 0D 0A 20 20 20 53 65 6E 64 69 6E 67 0.52..
    > Sending
    > 430 : 20 45 78 70 6C 6F 69 74 20 74 6F 20 61 20 5B 57 Exploit to a
    > [W
    > 440 : 69 6E 58 50 5D 20 53 65 72 76 65 72 2E 2E 2E 20 inXP] Server...
    > 450 : 46 41 49 4C 45 44 0D 0A 20 2E 20 2D 20 43 6F 6E FAILED.. . -
    > Con
    > 460 : 6E 65 63 74 69 6E 67 20 74 6F 20 31 30 2E 31 30 necting to
    > 10.10
    > 470 : 2E 34 30 2E 35 30 0D 0A 20 20 20 53 65 6E 64 69 .40.50..
    > Sendi
    > 480 : 6E 67 20 45 78 70 6C 6F 69 74 20 74 6F 20 61 20 ng Exploit to a
    > 490 : 5B 57 69 6E 32 6B 5D 20 53 65 72 76 65 72 2E 2E [Win2k]
    > Server..
    > 4a0 : 2E 0D 0A 20 2D 20 43 6F 6E 65 63 74 61 6E 64 6F ... -
    > Conectando
    > 4b0 : 20 63 6F 6E 20 6C 61 20 53 68 65 6C 6C 20 52 65 con la Shell
    > Re
    > 4c0 : 6D 6F 74 61 2E 2E 2E 0D 0A 0D 0A 4D 69 63 72 6F
    > mota.......Micro
    > 4d0 : 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 32 30 30 soft Windows
    > 200
    > 4e0 : 30 20 5B 56 65 72 73 69 3D 46 33 6E 20 35 2E 30 0 [Versi=F3n
    > 5.0
    > 4f0 : 30 2E 32 31 39 35 5D 0D 0A 28 43 29 20 43 6F 70 0.2195]..(C)
    > Cop
    > 500 : 79 72 69 67 68 74 20 31 39 38 35 2D 32 30 30 30 yright
    > 1985-2000
    > 510 : 20 4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 2E Microsoft
    > Corp.
    > 520 : 0D 0A 0D 0A 43 3A 5C 57 49 4E 4E 54 5C 73 79 73
    > ....C:\WINNT\sys
    > 530 : 74 65 6D 33 32 3E 65 78 69 74 0D 0A 0D 0A 20 2D tem32>exit....
    > -
    > 540 : 20 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6C 6F 73 Connection
    > Clos
    > 550 : 65 64 0D 0A 20 2D 20 43 ed.. - C
    >
    > Paul Schmehl (pauls@utdallas.edu)
    > Adjunct Information Security Officer
    > The University of Texas at Dallas
    > AVIEN Founding Member
    > http://www.utdallas.edu
    >
    > -----------------------------------------------------------------------
    > ----
    > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > Precisely Define and Implement Network Security and Performance
    > Policies
    > **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > Visit us at: http://www.captusnetworks.com/ads/31.htm
    > -----------------------------------------------------------------------
    > ----
    >
    >

    -- 
    Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
    Sourcefire: Enterprise-class Intrusion detection built on Snort
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------
    

  • Next message: Giovanni Vigna: "Re: Linux/*nix open source IDS"

    Relevant Pages

    • Re: Windows based (H)IDS
      ... It may seems so obvious that snort library is very ... Security but it is a commercial product. ... > softwares can be added to the ... > over a network. ...
      (Focus-IDS)
    • what is this?
      ... I captured activity with snort and i can't think of what is it? ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.security.firewalls)
    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: newbie needs help with iptables basics (please)
      ... >I have RTFM (man iptables) and have read several docs off the net and pages ... Implement Multi-Router Traffic Grapher to establish network ... discuss & plan the implementation of Snort 2.0 Intrustion ... Install Snort 2.0 Network-based Intrusion Detection System ...
      (comp.os.linux.security)