Network Security: Detailed info on [Snort-sigs] False Positive on "MYSQL client authentication bypass attem

Subject:	[Snort-sigs] False Positive on "MYSQL client authentication bypass attempt" (1:3668)
Date:	Mon, 26 Feb 2007 14:42:58 -0500 (EST)

Here is a false positive that I've been doing some research on.  We 
received a few of these that I was able to correlate to legitimate 
usage.

Rule: MYSQL client authentication bypass attempt
--
Sid: 1:3668
--
False Positives:
Each authentication encrypts the password using a unique salt given in 
the first connection packet. The resulting password is 20 bytes uniquely 
encrypted in the authentication packet.

Periodically, this encrypted password appears to begin with 00 (NUL). I 
believe that this is truly based on the random behavior of the salt. 
When this happens, rule 3668 finds the pattern | 00 14 00 |.

Example that doesn't match the rule:

00 15 2b 12 91 40 00 11  43 db 87 b9 08 00 45 08  ..+..@..  C.....E.
00 76 a3 97 40 00 40 06  b3 58 01 02 03 04 05 06  .v..@.@.  .X123456
07 08 91 b5 0c ea e3 77  fd 02 7e 81 71 40 80 18  78.....w  ..~.q@..
05 b4 42 a5 00 00 01 01  08 0a bc 69 5e 92 56 95  ..B.....  ...i^.V.
b8 ef 3e 00 00 01 85 a2  00 00 00 00 00 40 08 00  ..>.....  .....@..
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........  ........
00 00 00 00 00 00 73 6f  6d 65 75 73 65 72 00 14  ......so  meuser..
95 6d a3 f7 43 32 45 c4  3c 68 71 07 a1 f7 68 ce  .m..S...  <hq...h.
26 20 ac f4                                       & ..

Example that does match the rule:

00 15 2b 12 91 40 00 11  43 db 87 b9 08 00 45 08  ..+..@..  C.....E.
00 76 54 ba 40 00 40 06  02 36 c0 6c 6a e4 ac 10  .vT.@.@.  .6.lj...
0c 29 b9 71 0c ea 52 8b  fa 31 ec b1 85 40 80 18  .).q..R.  .1...@..
05 b4 9b 74 00 00 01 01  08 0a b0 26 ae 86 4a 52  ...t....  ...&..JR
a8 46 3e 00 00 01 85 a2  00 00 00 00 00 40 08 00  .F>.....  .....@..
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........  ........
00 00 00 00 00 00 73 6f  6d 65 75 73 65 72 00 14  ......so  meuser..
00 9a cc 39 ed ee ae b9  ea ee dd 2b 9b a0 23 d4  ...9....  ......#.
40 3d f1 86                                      @=..

Both of these have been correlated with normal and expected database 
queries.

--
Additional References:
http://www.redferni.uklinux.net/mysql/MySQL-Protocol.html

Thanks,
Brian

-- 
Brian Epstein <snort@epiary.org>
Key fingerprint = F9C8 A715 933E 6A64 C220  482B 02CF B6C8 DB7F 41B4

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False Positive on "MYSQL client authentication bypass attempt" (1:3668), Brian Epstein <= Re: [Snort-sigs] False Positive on "MYSQL client authentication bypass attempt" (1:3668), rmkml

Previous by Date:	[Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:	Re: [Snort-sigs] False Positive on "MYSQL client authentication bypass attempt" (1:3668), rmkml
Previous by Thread:	[Snort-sigs] False positive in GEN:SID 1:3634, Brian Epstein
Next by Thread:	Re: [Snort-sigs] False Positive on "MYSQL client authentication bypass attempt" (1:3668), rmkml
Indexes:	[Date] [Thread] [Top] [All Lists]