Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] sid: 2486 - false positive and false negatives

from [Fabio Panigatti] Network Security [Permanent Link]
Subject: [Snort-sigs] sid: 2486 - false positive and false negatives
Date: Fri, 24 Jun 2005 17:59:26 +0200 
Curent Rule
-----------
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (
    msg:"DOS ISAKMP invalid identification payload attempt"; 
    content:"|05|"; depth:1; offset:16;
    byte_test:2,>,4,30; 
    byte_test:2,<,8,30; 
    reference:bugtraq,10004; reference:cve,2004-0184; 
    classtype:attempted-dos; 
    sid:2486; rev:5;
)

False positive
--------------
The ISAKMP datagrams that triggered this alert cannot crash tcpdump.

~$ tcpdump -foobar 2>&1|grep tcpdump\ version
tcpdump version 3.6
                ^^^
~$ tcpdump -nvvvXs0 -r snort.pcap.log.1116667322 port 500
03:23:18.429627 x.x.x.x.500 > x.x.x.x.500 :  [udp sum ok]isakmp 1.0 
msgid 00000000 cookie fe64115c98880034->b2dc42d8a23e2f3f: phase 1 ? 
ident[E]: [|id] [tos 0x38]  (ttl 57, id 17435, len 96)
0x0000   4538 0060 441b 0000 3911 c942                  E8.`D...9.......
0x0010             01f4 01f4 004c 29af fe64 115c        .........L)..d.\
0x0020   9888 0034 b2dc 42d8 a23e 2f3f 0510 0201        ...4..B..>/?....
0x0030   0000 0000 0000 0044 15f4 0006 8fea 4a10        .......D......J.
0x0040   40e5 b26d 133d 1680 5990 43a9 ece2 beeb        @..m.=..Y.C.....
0x0050   3e6a 7076 e3e6 f334 efa3 5cb7 477b 76e1        >jpv...4..\.G{v.

The DoS isn't effective because Identification Payload is encrypted,
so the vulnerable protocol decoding routine does not run. This issue
is not pointed out in known vulnerability advisories. Unfortunately,
the rule (rev: 5) does not check for the "encrypted" flag.

0x0020   9888 0034 b2dc 42d8 a23e 2f3f 0510 0201        ...4..B..>/?....
                                              ^^
Additionally, the "Protocol ID" byte must be >8 to crash tcpdump but
this value isn't checked.

False negative
--------------
The current values for the payload length byte_test checks are wrong.
Tested on tcpdump 3.6.

Conclusions
-----------
The actual rule can alert on ISAKMP datagrams forged by public "poc"
code but not on real world DoS attacks.

Some rare false positives can be avoided with stricter ISAKMP header
checks.

Local fix (with comments)
-------------------------
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (
    msg:"DOS ISAKMP invalid identification payload attempt"; 
    content:"|05|"; depth:1; offset:16;
    byte_test:1,!&,1,19;  <===== encrypted flag
    byte_test:1,>,8,32;   <===== protocol ID
    byte_test:2,>,0,30;  |
    byte_test:2,<,10,30; |<===== new payload length check
    byte_test:2,!=,8,30; |
    reference:bugtraq,10004; reference:cve,2004-0184; 
    classtype:attempted-dos; 
    sid:xxxxxxx; rev:x;
)


Fabio


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] sid: 2486 - false positive and false negatives, Fabio Panigatti <=
Previous by Date:  Re: [Snort-sigs] sid 580 and sid 1267 = cve-1999-0008 ? (snort233b14), Matthew Watchinski
Next by Date:  Re: [Snort-sigs] sid 580 and sid 1267 = cve-1999-0008 ? (snort233b14), Matthew Watchinski
Previous by Thread:  [Snort-sigs] multiple change on sid (snort233b14), rmkml
Next by Thread:  [Snort-sigs] false negative for SID 2386, Lutz Schildt
Indexes:  [Date] [Thread] [Top] [All Lists]