Snort

At 01:03 PM 12/8/2003, Anna Patil wrote:
>
>Is there any option to drop perticular packet (like alert is for logging).

1) this belongs on snort-users, not snort-sigs.

2) by itself, snort is a passive sniffer that operates in parallel with the 
local TCP/IP stack. Thus, if snort "drops" a packet, nothing happens to the 
copy in the TCP/IP stack.

There are tools that cause snort's alerts to reconfigure a firewall, 
inline-snort is a linux-kernel specific patch to do this.

Snortsam works on multiple firewalls, even external ones (ie: serial 
connection to a PIX) but isn't truly realtime and will block a source of 
traffic a couple of milliseconds after the alert was triggered.

snort comes with flexresp, and flexresp2, which are attempts to kill an 
ongoing communication session by spoofing reset packets and ICMP errors. 
However it should be understood that this mechanism is not 100% reliable 
and should not be treated as if it were a firewall replacement.

I have been using this rule for a while now and only get a few false=20
positives a day.  Its very useful for detecting hacked linux/solaris boxe=
s=20
due to the fact that lots of rootkits install ssh(and old versions at=20
that.)

For your use, just change the src port field to 'any' and you should be=20
ok. =20

If anyone else has a better rule, or can make this one better, I'd love t=
o=20
see it.

Phil

alert tcp any !22 -> any any (msg:"SSH server banner non-22";=20
content:"SSH-";
offset:0; depth:5; content:"-"; flow:established,from_server;=20
classtype:misc-activity;
sid:1545647;)



On Mon, 8 Dec 2003, Tony Hernandez wrote:

> Hey guys, I have recently had an interest for policy reasons here to=20
detect incoming SSH connections to any of my subnets. Since, the port may=
=20
not be the default port (22) and it seems that I can't really tell which=20
side the "OpenSSH-" banner is coming from is there another way to detect=20
ssh sessions at the packet level? By any packet pattern challenge/respons=
e etc?=20
>=20
>=20
> Is anyone using a rule like this and or a rule that can detect somethin=
g like this with little FP's ? any examples for this would be greatly app=
reciated as always.
>=20
>=20
>=20
>=20
> Tony Hernandez
> University of Florida
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM=
's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admi=
n.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id371&op=CCk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@...
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>=20
>=20

-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Phil Deneault     "We work in the dark, We do what we can,
deneault@...   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-

At 07:14 AM 12/8/2003, Alexandru Balan wrote:
>let's say i have a rule that outputs to fwsam which filters out the
>offending ip. Is there a way to make it ouptut to fwsam after 5 matches
>on that sig ?
>For example, i want snortsam to filter out the offending ip if snort
>detects more then 5 identic matches on a signature per 3 seconds or
>something like that. Any help would be much appreciated.


See doc/README.thresholding in the tarball.

On Monday 08 December 2003 01:57 am, james wrote:
> Note: there is a typo in the rule for 1652 and 1653.  Insecure.org
> published this as "campus cgi hole" but the exploit uses "campas.cgi"
> (reference included)
>
>
> sid: 1653
> --
> Summary: cgi script found on version 1.2 of NCSA web server allows
> retrieval of
> files outside the web publishing directory structure.
> --
> Impact: File retrieval leading to compromise of confidential information,
> potential root exploit.
> --
> Detailed Information:
> "Francisco Torres" posted information on this one which is repeated on
> insecure.org.
> After connecting to the vulnerable web server, the command:
> GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
> results in retrieving /etc/passwd
> --
> Affected Systems: web servers running very old (1995) version of NCSA web
> server
> may have this cgi script installed.
> --
> Attack Scenarios:
> Attacker connects on tcp port 80 (http default port), issues the command
> and the
> desired file is retrieved.  Attacker must know (or guess) the path to the
> file desired.  It is not known whether wild cards will work with this
> exploit. --
> Ease of Attack:
> Trivial for known file paths.
> --
> False Positives:
> If you have a legitimate cgi script named 'campas.cgi', requests for it
> will trigger this alert.
>
> NOTE: the snort rule replicates a typo at insecure.org.  As the script
> retrieved
> is 'campas.cgi', the rule should not trigger on 'campus.cgi'
>
> --
> False Negatives:
> Obfuscated web requests might cause an IDS to miss the request.
> --
> Corrective Action:
> Delete all unnecessary cgi scripts!
> Run web server in chroot jail so access to files outside web service file
> system
> is difficult.
> For this particular exploit, remove campas.cgi and/or update NCSA web
> server.
>
> --
> Contributors:
>
> --
> Additional References:
> http://www.insecure.org/sploits/campus.cgi.hole.html

-- 


I got a lot of bad ideas in my head.  
	-Travis Bickle