Network Security: Detailed info on [Snort-sigs] FPs on sid 159

Subject:	[Snort-sigs] FPs on sid 159
Date:	Thu, 02 Mar 2006 15:14:36 -0600

This rule has been bugging me for a while. As you can see, all it looks for is two hypens side by side. Unfortunately, the Arachnids site appears to be down, so I have no way of knowing how they decided to look for those two characters, but, as you can see from the payload below, it's trivial to trip this alert with encrypted or binary packets.

Here's the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;)

Here's the explanation on snort.org:
<http://www.snort.org/pub-bin/sigs.cgi?sid=159>

Which includes this:

The server portion opens TCP port 5031 by default to establish a connection between client and server.

The site that hosts information about the trojan says the same thing:

<http://www.dark-e.com/archive/trojans/NetMetro/104/index.shtml>

Default port: 5031 TCP
Can port be changed: No

So why is the rule looking for dst port 5032? Why isn't it looking for src port 5031? Or dst port 5031?

This site concludes that it's a false positive.

<http://security.raffy.ch/projects/Raffael_Marty_GCIA/node14.html>

The traffic triggering this alert has source ports of 20 and 80, and a destination port of 5032. These are therefore valid FTP data and HTTP connections3.2. Matching the contents-part of the signature ("--") easily happens in this type of data. Severity: 0 (false positive)

The src host has port 20 open, so naturally I tried to ftp to it, and viola!

} ftp 211.190.235.155 Connected to 211.190.235.155. 220 \uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff \uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff \uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff Name (211.190.235.155:pauls): anonymous 331 User name okay, please send complete E-mail address as password. Password: 530 Anonymous \uffff\uffff\uffff\uffff\uffff\uffff \uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff \uffff\uffff\uffff\uffff\uffff\uffff\uffff\uffff Login failed. Remote system type is UNIX. Using ascii mode to transfer files.

Here's the payload.  I've got six more just like it:

length = 1380

000 : 1F 38 82 D0 65 A8 BA 6E 8A 6D F7 0B CC 3E CD 6A   .8..e..n.m...>.j
010 : D1 E6 0F 6F F5 A7 4E 8B 38 67 EB 97 61 C2 9B EB   ...o..N.8g..a...
020 : 73 0E F2 F7 42 59 A5 99 CA 5F 35 32 B7 58 C5 A5   s...BY..._52.X..
030 : 99 A5 8A 2C 5B 33 5E 27 BF 56 74 CD 12 B3 7C 83   ...,[3^'.Vt...|.
040 : B1 E3 8D BF A5 4E 10 EC 1C A2 DE 8C 0E BD FE 79   .....N.........y
050 : 63 15 3D 63 F5 0E A8 FD 59 57 0F AC 89 A6 F0 FA   c.=c....YW......
060 : 87 51 03 99 67 05 D4 6C 9A 3E E3 78 3E 3A 68 72   .Q..g..l.>.x>:hr
070 : EA 1A 44 3B 00 8A 91 59 CB 9F 15 E4 A5 A6 63 10   ..D;...Y......c.
080 : 41 5F A0 25 A6 46 01 36 25 23 C4 F4 6B E9 5D C1   A_.%.F.6%#..k.].
090 : 84 BC 68 8D AD 4E C1 6B 8E B8 34 AE F0 41 99 13   ..h..N.k..4..A..
0a0 : 6A B7 0F B8 AE 3E 3B A9 C7 22 E1 21 A1 3D A7 4F   j....>;..".!.=.O
0b0 : 5C 17 06 72 41 95 0C B7 53 AF 05 FA 7F C4 8A AF   \..rA...S......
0c0 : 7D 6F 3A 5F 4B 09 DA F0 53 58 A9 C4 F7 0A E2 9B   }o:_K...SX......
0d0 : 14 9C BD 5B 47 02 3C 04 01 07 50 24 80 46 1D 10   ...[G.<...P$.F..
0e0 : 21 B4 BE C4 7E A5 15 58 F8 FC 92 E2 65 FB 3C C9   !...~..X....e.<.
0f0 : 7A 62 A1 C7 9F FC 45 37 19 68 5C A1 FF 23 FE 23   zb....E7.h\..#.#
100 : 3B EE 1D 69 3C B6 45 9B 1A BF CF 4C DC 71 55 29   ;..i<.E....L.qU)
110 : 29 9D 9D 3A BC 72 15 0B DD 01 E0 5B 59 A3 72 63   )..:.r.....[Y.rc
120 : DE E8 93 BA 1D 27 AD 5B 58 FD 68 80 FB D2 AE 29   .....'.[X.h....)
130 : 69 75 52 2F AF 2D DA 33 FD 59 4F 56 2A 92 F3 9B   iuR/.-.3.YOV*...
140 : E9 6A 23 F4 02 F8 A8 07 FB EC 5C E7 3B EC 6E 3B   .j#.......\.;.n;
150 : 1C A7 E7 AD 4F 84 3A 7E 8C 45 EB 60 1D EB E4 8D   ....O.:~.E.`....
160 : A3 BD BA 6D 57 AB C7 13 9E 7A 45 D6 FB 5A 2E 0C   ...mW....zE..Z..
170 : 5C 2B F8 D1 28 FA 5C E8 1D 5F C7 C5 F7 AA 87 94   \+..(.\.._......
180 : 77 32 A6 35 38 B5 B4 64 E4 5B 65 3C 16 19 65 AD   w2.58..d.[e<..e.
190 : FE 62 3F 1E CD CC C7 93 E8 4A C9 B0 A7 48 5F E0   .b?......J...H_.
1a0 : CA 43 9C 75 59 5E 8C A2 EF 46 AF BC 8C E4 85 09   .C.uY^...F......
1b0 : 61 FB 4C 76 38 F1 5A 93 33 DC AF E0 AB 7D 53 81   a.Lv8.Z.3....}S.
1c0 : D0 D4 62 51 C5 D9 7E 15 DD 2A B0 FC 3D 91 E1 33   ..bQ..~..*..=..3
1d0 : 09 CD C2 F4 99 FC 82 8A 88 AE 26 63 30 42 A3 4F   ..........&c0B.O
1e0 : B4 D0 B4 65 82 20 33 54 93 88 76 53 49 2C DF 69   ...e. 3T..vSI,.i
1f0 : D6 18 70 C2 C0 4C F0 C9 70 A7 A3 70 8D 86 EE AB   ..p..L..p..p....
200 : F7 59 D3 AA 99 B1 D4 59 C3 06 A6 D3 8A D5 F8 32   .Y.....Y.......2
210 : 00 1B 6A 3C AF 21 74 B3 5B EC 40 EA 52 7C 30 91   ..j<.!t.[.@.R|0.
220 : 31 66 52 4C 63 21 CC C7 18 8F CD BF 84 20 24 3E   1fRLc!....... $>
230 : DA AD 90 9A 35 E7 AD 45 2B 37 26 AB 14 6B 1F 90   ....5..E+7&..k..
240 : 83 CE 48 CD DA 2B 11 A5 99 0C 8C AB C0 1C AC 99   ..H..+..........
250 : 58 99 E2 31 24 C8 B6 D2 FB C9 4A A5 9A B5 C1 D0   X..1$.....J.....
260 : 94 19 D6 00 E8 52 81 E9 56 B4 45 B0 FC 43 B2 01   .....R..V.E..C..
270 : 9E D1 9A 81 EE D1 EE 6B 1C 27 C9 9A FD E5 41 63   .......k.'....Ac
280 : 7D C5 62 AB 5B EE 09 46 48 FF 0B 24 B0 CC D0 B8   }.b.[..FH..$....
290 : FC C9 12 3F C2 F0 37 0B A0 F4 45 3A BB C5 70 DB   ...?..7...E:..p.
2a0 : 6D 9A AB F0 35 DF 46 3A 23 6A CB 76 28 D2 5A 2A   m...5.F:#j.v(.Z*
2b0 : 56 24 4F F4 D9 F4 25 26 92 7D C3 B4 21 2D 2D DC   V$O...%&.}..!--.
2c0 : ED 05 C7 F5 65 75 40 CA D9 FA 70 89 7C 46 D1 2C   ....eu@...p.|F.,
2d0 : 62 93 7D A0 E3 B1 C9 06 18 BD 3C 3E 7C BD 44 41   b.}.......<>|.DA
2e0 : F2 6C 11 E1 17 A5 6C 31 13 51 D6 38 7F 03 A4 1E   .l....l1.Q.8...
2f0 : 28 27 27 F1 0C A7 E5 62 B3 BB EC FA E8 05 B8 0B   (''....b........
300 : 9D C6 5A 9C 99 B2 A0 8C 71 E9 D7 DE 1D 7D 5A B4   ..Z.....q....}Z.
310 : F0 4C FD DA 5D 76 23 85 76 F0 83 FF 06 EC FE D4   .L..]v#.v.......
320 : 94 A3 20 37 E3 06 91 5E 16 C2 E1 45 B5 19 0C 76   .. 7...^...E...v
330 : B1 C8 E2 17 37 F3 3D F2 D9 30 7C 22 05 C2 D1 B1   ....7.=..0|"....
340 : 35 74 52 9D 4D 6E 34 C9 9D 7C A2 B4 9A 19 EF 7F   5tR.Mn4..|.....
350 : B5 7E 33 E3 92 5F EB 7D 5E 7D AD 3F AF DD A1 E3   .~3.._.}^}.?....
360 : C0 B8 51 0A 39 BC 71 AB 94 43 4B 02 61 89 0D DB   ..Q.9.q..CK.a...
370 : 5C 15 EC F7 92 F7 AA F4 90 6D FB C4 D6 EC 38 48   \........m....8H
380 : AC A5 35 E6 C8 21 64 73 62 5D D5 E3 D4 CC 98 FF   ..5..!dsb]......
390 : 3D 55 28 20 1F A2 0F 67 93 F2 19 CF CA 8B CF F4   =U( ...g........
3a0 : 18 02 C0 52 AC E7 23 A8 C0 0B 1A 70 8B 50 37 EB   ...R..#....p.P7.
3b0 : 89 7C E6 CA 40 02 DD F5 14 1F 1C AB ED FE FE 54   .|..@..........T
3c0 : 52 7E AB F5 A6 03 2D 10 7B FE 46 8F B3 1E D3 C4   R~....-.{.F.....
3d0 : 76 E7 5D D4 EB B5 F1 DC 79 86 8F EF B2 AC 28 23   v.].....y.....(#
3e0 : 81 F8 47 8F EA A9 90 00 79 11 C3 56 52 A1 E1 76   ..G.....y..VR..v
3f0 : 93 A5 30 89 4D 35 D6 AF C9 8D 5F 34 EA 4F 17 93   ..0.M5...._4.O..
400 : 86 8C BD C6 5F CE 31 70 94 EE 94 F1 E3 BA C4 5F   ...._.1p......._
410 : 45 18 4F 4A CA BA 45 0A 36 DB 61 AA 60 F4 54 1B   E.OJ..E.6.a.`.T.
420 : 6B C0 6B 58 7B 3E E2 44 CA E2 A8 88 52 C6 01 D3   k.kX{>.D....R...
430 : 77 FC AA C5 06 92 4D 75 B9 38 61 FC 23 22 C9 F4   w.....Mu.8a.#"..
440 : DA 6D E9 BF 1F DC 5E 87 8D E0 1D 1F 86 E7 1E 2D   .m....^........-
450 : 47 E2 78 7C D7 1B DE 94 DC 56 BE F4 EE 66 BD 40   G.x|.....V...f.@
460 : 9F 61 76 AD 3A 72 0E 93 0A 48 D9 69 27 62 48 44   .av.:r...H.i'bHD
470 : CD DC 50 AF FE 59 59 EA C4 E7 D4 D0 3F 56 23 07   ..P..YY.....?V#.
480 : 99 02 98 92 4E 9A BD A2 FB 89 1C 7F 8E E4 33 09   ....N........3.
490 : AF A6 18 52 61 13 3E F4 C3 C1 45 59 CA 37 4C 26   ...Ra.>...EY.7L&
4a0 : 81 8B C4 5E 56 67 65 F7 E8 A9 47 07 E9 9A DE 35   ...^Vge...G....5
4b0 : 9F 2B DF 34 71 28 13 F3 B8 68 3B 61 88 10 1D D4   .+.4q(...h;a....
4c0 : 74 60 51 65 28 88 8E 44 9A 9A D7 8D AF 45 B2 A4   t`Qe(..D.....E..
4d0 : 9F 36 18 9F 68 0D 8C E2 78 9E 8F 38 FA 74 B6 D4   .6..h...x..8.t..
4e0 : 06 21 2E 01 D6 57 27 EB 2E 61 91 62 12 D5 D2 27   .!...W'..a.b...'
4f0 : 1B D1 6E F7 52 1E 0F 8C 7B 76 FE 0C 2C 9C DF 67   ..n.R...{v..,..g
500 : B8 15 18 48 CC E4 3D C8 69 1A EE EC BE 8C 73 ED   ...H..=.i.....s.
510 : 97 07 D6 BC 6D 8A 7D DC 90 17 59 65 F3 73 FC 89   ....m.}...Ye.s..
520 : 08 81 32 93 25 0E 5C 8C CE EC EC BB BC 58 3B BA   ..2.%.\......X;.
530 : B1 2A 8E E1 47 55 AE 3F 07 D6 64 DE 92 61 1F E2   .*..GU.?..d..a..
540 : 29 A9 47 C0 ED 72 E7 C5 06 43 EC 43 2E F4 8D F4   ).G..r...C.C....
550 : 24 88 4B 10 E5 E6 EF D5 58 C9 0E 71 9A D0 EB 97   $.K.....X..q....
560 : 01 04 75 DE                                       ..u.

Surely we can either can this rule or improve it so that it's more accurate?

At a minimum it should be: alert tcp $EXTERNAL_NET any -> $HOME_NET 5031 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;

If not: alert tcp $EXTERNAL_NET 5031 -> $HOME_NET any (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] FPs on sid 159, Paul Schmehl <= Re: [Snort-sigs] FPs on sid 159, Nigel Houghton

Previous by Date:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:	Re: [Snort-sigs] FPs on sid 159, Nigel Houghton
Indexes:	[Date] [Thread] [Top] [All Lists]