[Dshield] SQLSnake snort sig (fwd)

Johannes Ullrich jullrich at sans.org
Wed May 22 01:29:34 GMT 2002


i think there are two good content strings we could add:

0x0080: 01 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00  ..e.x.e.c.
.x.p.
0x0090: 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 
_.c.m.d.s.h.e.l.
0x00A0: 6C 00 20 00 27 00 6E 00 65 00 74 00 20 00 75 00  l

This is the 'exec xp_cmdshell' part. While this may show up in some
valid packets, it probably shouldn't. This is also a nice test for any
similar worms that may follow.

There is already a standard rule in snort for port 139:

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_cmdshell program execution"; content:
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase;
flags:A+; offset:32; classtype:attempted-user; sid:681; rev:3;)

Another good rule would be for the empty SA password access. I can't
find the packet right now :-(...
But this would also trigger on the 'mechanism' instead on some random
string.


> content and depth rules would make the sig a lot better.  As it stands
> it's going to trigger on all port 1433 traffic.  That's not going to
> help the people running sql servers because it's going to fire on
> everything.  The packet traces sent by Robert Wagner would be a good
> base for some signatures.

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection         
                                     join http://www.dshield.org




More information about the list mailing list