Project

General

Profile

Actions
Copy link

Bug #611

closed

fp: rule with ports matching on portless proto

Added by Peter Manev over 11 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
2.0rc2
Affected Versions:
Effort:
Difficulty:
Label:

Description

using - 1.4dev (rev 2ab6292)
with yaml vars like so :

address-groups:

HOME_NET: "[192.168.0.0/16]"

EXTERNAL_NET: "any"

HTTP_SERVERS: "$HOME_NET"

SMTP_SERVERS: "$HOME_NET"

SQL_SERVERS: "$HOME_NET"

DNS_SERVERS: "$HOME_NET"

TELNET_SERVERS: "$HOME_NET"

AIM_SERVERS: "$EXTERNAL_NET"

DNP3_SERVER: "$HOME_NET"

DNP3_CLIENT: "$HOME_NET"

MODBUS_CLIENT: "$HOME_NET"

MODBUS_SERVER: "$HOME_NET"

ENIP_CLIENT: "$HOME_NET"

ENIP_SERVER: "$HOME_NET"

  1. Holds the port group vars that would be passed in a Signature.
  2. These would be retrieved during the Signature port parsing stage.
    port-groups:

#HTTP_PORTS: "[80,81,311,591,593,901,1220,1414,1741,1830,2301,2381]"
HTTP_PORTS: "[80,81]"
#"[80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9080,9090,9091,9443,9999,11371,55555]"

#SHELLCODE_PORTS: "!80"
SHELLCODE_PORTS: "[21,22,80,11111,22222]"

ORACLE_PORTS: "[1521,1024]"

SSH_PORTS: "[22,222]"

FTP_PORTS: "[21,2100,3535]"

SIP_PORTS: "[5060,5061,5600]"

FILE_DATA_PORTS: "[110,143]"

GTP_PORTS: "[2123,2152,3386]"

with the rule -

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)

with the attached pcap , alerting about 64 times on 125 packets containing "CCCC...." - but i think we should not alert , because the SHELLCODE_PORTS var does not match any of the pcap ports.

Furhter more (some variations of the rule with the same pcap) -

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 64 time

alert ip any any -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts, above - 124 times

alert ip any $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 64 times

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 124 times

It seems that there is a problem with the parsing of the $EXTERNAL_NET $SHELLCODE_PORTS variables.

just for comparison - Snort 2.9.3.1 with the same pcap and the same original rule alerts 124 times

thanks

Files

GPL-SHELLCODE-x86-inc-ebx-NOOP-rule-2101390.pcap (45.2 KB) GPL-SHELLCODE-x86-inc-ebx-NOOP-rule-2101390.pcap Peter Manev, 10/29/2012 07:31 AM
Actions
Copy link

Also available in: Atom PDF