Hi Brian,
first, bugtraq id not equal, maybe change to 10654,
and on the this bid, found two eploit.
second, perl exploit use "\x00\x14\x00\x00\x00\x00..."
maybe change on this rules for reduce false positive :
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL client
authentication bypass attempt"; flow:to_server,established;
flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3;
byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00 00|"; offset:9;
reference:bugtraq,10654;
reference:www.nextgenss.com/advisories/mysql-authbypass.txt;
reference:cve,2004-0627; classtype:misc-attack; sid:3668; rev:2;)
Regards
Rmkml
On Mon, 26 Feb 2007, Brian Epstein wrote:
Date: Mon, 26 Feb 2007 14:42:58 -0500 (EST)
From: Brian Epstein <snort@epiary.org>
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] False Positive on
"MYSQL client authentication bypass attempt" (1:3668)
Here is a false positive that I've been doing some research on. We
received a few of these that I was able to correlate to legitimate
usage.
Rule: MYSQL client authentication bypass attempt
--
Sid: 1:3668
--
False Positives:
Each authentication encrypts the password using a unique salt given in
the first connection packet. The resulting password is 20 bytes uniquely
encrypted in the authentication packet.
Periodically, this encrypted password appears to begin with 00 (NUL). I
believe that this is truly based on the random behavior of the salt.
When this happens, rule 3668 finds the pattern | 00 14 00 |.
Example that doesn't match the rule:
00 15 2b 12 91 40 00 11 43 db 87 b9 08 00 45 08 ..+..@.. C.....E.
00 76 a3 97 40 00 40 06 b3 58 01 02 03 04 05 06 .v..@.@. .X123456
07 08 91 b5 0c ea e3 77 fd 02 7e 81 71 40 80 18 78.....w ..~.q@..
05 b4 42 a5 00 00 01 01 08 0a bc 69 5e 92 56 95 ..B..... ...i^.V.
b8 ef 3e 00 00 01 85 a2 00 00 00 00 00 40 08 00 ..>..... .....@..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00 00 00 00 00 00 73 6f 6d 65 75 73 65 72 00 14 ......so meuser..
95 6d a3 f7 43 32 45 c4 3c 68 71 07 a1 f7 68 ce .m..S... <hq...h.
26 20 ac f4 & ..
Example that does match the rule:
00 15 2b 12 91 40 00 11 43 db 87 b9 08 00 45 08 ..+..@.. C.....E.
00 76 54 ba 40 00 40 06 02 36 c0 6c 6a e4 ac 10 .vT.@.@. .6.lj...
0c 29 b9 71 0c ea 52 8b fa 31 ec b1 85 40 80 18 .).q..R. .1...@..
05 b4 9b 74 00 00 01 01 08 0a b0 26 ae 86 4a 52 ...t.... ...&..JR
a8 46 3e 00 00 01 85 a2 00 00 00 00 00 40 08 00 .F>..... .....@..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00 00 00 00 00 00 73 6f 6d 65 75 73 65 72 00 14 ......so meuser..
00 9a cc 39 ed ee ae b9 ea ee dd 2b 9b a0 23 d4 ...9.... ......#.
40 3d f1 86 @=..
Both of these have been correlated with normal and expected database
queries.
--
Additional References:
http://www.redferni.uklinux.net/mysql/MySQL-Protocol.html
Thanks,
Brian
--
Brian Epstein <snort@epiary.org>
Key fingerprint = F9C8 A715 933E 6A64 C220 482B 02CF B6C8 DB7F 41B4
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
