[Dshield] Could this be done ?

John Sage jsage at finchhaven.com
Wed Sep 11 14:18:01 GMT 2002


On Tue, Sep 10, 2002 at 10:50:44AM -0700, John Draper wrote:

<snip-a-lot>

> I would be careul about turning on RPC rules,   we do get a lot of
> False positives on some of them.   But in our case,  we don't use
> RPC and have those ports blocked anyway,  so no need to turn them
> on.

Interesting. I have a question posted on the snort list right now
that concerns an RPC false positive:

What wins: TCP/IP header matches (ports, IP's), or packet content
matches (hex sequences)?

I'm seeing packet content matches, which seems to be risky business,
because a specific hex string *might* appear in, say, a gzipped file
and thus the alert really means nothing.


Here's the rule:

rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
sid:1278;  rev:3;)

And here it matches on content, but ignores the destination port
specified by the rule:

<snip>
[**] [1:1278:3] RPC rstatd query [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/08/02-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
[Xref => http://www.whitehats.com/info/IDS9]
<snip>

<snip>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
0x0000: 45 00 05 DC FA ED 40 00 31 06 4A BA 3F 64 2F 2D  E..... at .1.J.?d/-
0x0010: 0C 52 83 91 00 50 F8 0A E9 A9 91 72 E9 92 6F EA  .R...P.....r..o.
0x0020: 80 10 19 20 DD C3 00 00 01 01 08 0A 5C D1 7E 26  ... ........\.~&
0x0030: 19 7D 82 86 

                    5F 46 36 63 49 66 61 57 3A 68 32 61  .}.._F6cIfaW:h2a
0x0040: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 41 36  F|c7mHcIf2_.i at A6
0x0050: 75 3A 49 68 5F 46 36 63 49 66 61 57 3A 68 32 61  u:Ih_F6cIfaW:h2a
0x0060: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 48 7D  F|c7mHcIf2_.i at H}
0x0070: 38 6A 79 38 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D  8jy8YjV(.Bzu::dm
0x0080: 49 68 64 3B 20 57 53 53 5F 47 57 3D 56 31 41 6C  Ihd; WSS_GW=V1Al
0x0090: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00A0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00B0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00C0: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00D0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00E0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00F0: 51 41 6C 51 7A 25 72 42 51 25 5E 25 72 40 69 3B  QAlQz%rBQ%^%r at i;
0x0100: 20 43 54 47 3D 31 30 32 35 31 39 31 39 31 39 0D   CTG=1025191919.
0x0110: 0A 0D 47 3D 1B 3D 58 0D 02 00 9A 05 00 00 9A 05  ..G=.=X.........
0x0120: 00 00 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00  .......3....&...
0x0130: 45 00 05 8C EB 04 40 00 73 06 FC 52 CC 11 72 09  E..... at .s..R..r.
0x0140: 2E 05 B4 FA 00 50 F9 C1 B3 D2 78 9D 00 01 65 80  .....P....x...e.
0x0150: 50 10 40 B0 46 75 00 00 86 A2 00 00 00 02 00 00  P. at .Fu..........
0x0160: 00 00 00 00 00 01 00 00 00 96 00 00 00 00 00 00  ................
0x0170: 00 96 00 00 00 40 00 00 00 00 00 00 00 00 00 00  ..... at ..........
0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0190: 00 00 00 00 00 00 00 00 00 00 02 00 01 86 A1 00  ................
                 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
<snip>



- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list