Snort mailing list archives

Re: Fwd: Snort catching backup as alert?

From: Alexandre Carmel-Veilleux <alexandre.carmel () miniguru ca>
Date: Mon, 19 Aug 2013 12:26:32 -0400

Hi,

The shellcode detector is a frequent source of false positives. It's
basically only matching strings of letters / characters that frequently
happen in shellcodes in any network packet. Most of the better exploitation
tools out there can randomize their shell codes avoiding this rule
altogether. This is basically designed to catch very low hanging fruits
(like some bad automated scanners).

You can reduce the impact by making sure both your servers are in
$HOME_NET's IP range. Possibly encrypting the backups you do will modify
the character signature enough as well. Otherwise, be somewhat skeptical of
that alert.

Alex


On Mon, Aug 19, 2013 at 11:32 AM, William Rehnquyst <rehnquyst () gmail com>wrote:

Hi,

The other day my Snort alerted that it had detected shellcode, and the
payload information looks just like a snort rule. It seems to be going from
my snort server to the backup server. Does that just mean while backup is
happening, Snort is detecting shellcode it's looking for in the rule file
itself?

I would think if that's the case then every single rule in the rule file
would be triggered, because everything it's looking for is in there and
it's being transmitted. Were these shellcode detections just a fluke then?

Below is the payload it captured, which triggered the alert:

"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"redacted because it'd just get 
picked up by sourcefire IDS as malware"; fast_pattern:only; metadata:policy balanced-ips drop, policy 
connectivity-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:17340; rev:3;)



[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance 
decoder"; content:"redacted"; content:"redacted because it'd just get picked up by sourcefire IDS as malware"; 
distance:1; content:"redacted"; distance:1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy 
security-ips drop; classtype:shellcode-detect; sid:17341; rev:2;)



[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; 
content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 
classtype:shellcode-detect; sid:17342; rev:2;)



[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; 
content:"redacted"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 
classtype:shellcode-detect; sid:17343; rev:2;)



[2 non-ASCII characters]
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor

Many thanks,

Rehn

ps. On a side note, pardon my newbie-ness, how does screenshots and attachment work on a mailing list like this? I'm 
not sure whether they work or not because I never see them in the archive on seclists.org?




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Fwd: Snort catching backup as alert? William Rehnquyst (Aug 19)
- Re: Fwd: Snort catching backup as alert? Jefferson, Shawn (Aug 19)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 19)
  - Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
    - Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 22)
- Re: Fwd: Snort catching backup as alert? Alexandre Carmel-Veilleux (Aug 24)
  - Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)
    - Re: Fwd: Snort catching backup as alert? Joel Esler (Aug 25)