Snort mailing list archives
Re: CVE-2012-5076 and CVE-2012-1723 Rules
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 25 Nov 2012 20:34:30 -0500
YM, Thanks for bringing this up. I'm on my phone right now and can't take a look, but we should have fired on blackhole. The rules that cover blackhole for the most part are in the exploit-kit.rules file. I'll take a look and see what we can do to improve any coverage we are missing, blackhole, especially v2, is a pain. -- Joel Esler Sent from my iPhone On Nov 25, 2012, at 5:26 AM, Snort Troubleshooting <snort () outlook com> wrote:
Hello, Today I was testing some blackhole websites against Snort in my test lab to validate some traffic, in which Snort using the VRT rules (subscriber rules) did not alert on anything. However, the anti-virus installed on the test machine detected that there are two Java exploit files have been downloaded and happily residing in /AppData/Local/Temp. The anti-virus (MSE) reported the following: 1. Exploit: Java/CVE-2012-5076.BBW - - - > KPOWd.class 2. Exploit: Java/CVE-2012-1723!generic - - - > kvjMojWwL.class At this point I suspected that my Snort configurations/rules may be wrong. After confirming that everything is fine, I went ahead and downloaded ET (open-source) rules and stuck them in there. Then I browsed to the blackhole website again, and Snort fired on two ET Rules, namely, sid:2015724, and sid:2015725. Unfortunately, the msg of these two alerts are not fully descriptive and there are no references included in the alerts. After that, I searched through my Snort rules that covers both CVE’s mentioned above, and they are included and enabled in my snort.rules (PulledPork, -I balanced). I found these two (along there state: enables, disabled): 1. CVE-2012-5076: - sid: 24026 (enabled) - sid: 20622 (disabled) 2. CVE-2012-1723: - sid: 24202 (enabled) - sid: 24201 (enabled) - sid: 23277 (enabled) - sid: 23276 (enabled) - sid: 23275 (enabled) - sid: 23274 (enabled) - sid: 23273 (enabled) All of the above use $FILE_DATA_PORTS, which in my case did not include the port that the blackhole website is using. So I added the port to $FILE_DATA_PORTS and retested again, but Snort rules (VRT) did not fire, yet ET rules did. Obviously, the signatures (content, pcre, etc.) are different but I thought they still would alert as signatures can be different yet catch the same malicious traffic. I was not able to test against enabling the “security” policy in PulledPork, if that would enable rules to catch the said traffic. I got a fairly good experience running Snort, though, I’m still learning my way through writing proper rules. I will try to examine the pcaps and fiddler session data in the upcoming days and update. If anyone can shed some light through this, it would be appreciated. Thanks. YM ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- CVE-2012-5076 and CVE-2012-1723 Rules Snort Troubleshooting (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Will Metcalf (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules lists () packetmail net (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 25)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Y M (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Miso Patel (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Y M (Nov 26)
- Re: CVE-2012-5076 and CVE-2012-1723 Rules Joel Esler (Nov 26)