In the case of this signature, which was written apparently for the
SSHUTUPTHEO exploit from Gobbles, their is a boundary condition in
OpenSSH that when exploited will open a shell on the remote host,
execute commands, etc.
When this occurs, it is not an encrypted SSH tunnel.
In the case of this signature, the Gobbles exploit opens a shell on the
remote host and then promptly executes the command uname -a.
You see it here below:
*GOBBLE*
OpenBSD openbsd 3.1 GENERIC#59 i386
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
First the exploit echoes the string "*GOBBLE*" back to the attacker than
it promptly executes "uname -a ; id". This is all done in clear text.
This is how Snort will alert on the use of uname. However, you'll find
that this is a pretty generic signature, meaning their are quite a few
SSHD exploits that I can think of that immediately issue the command
uname -a, or, its pretty simple to take an SSH exploit and add uname -a
to it.
As for why it fired on your host? Can you send the packet to me or the
list? I'd like to see the payload.
HTH
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eric.hines@appliedwatch.com
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
hchlai@netscape.net wrote:
Hi Snorters,
I have 2 questions regarding sid:1811
/etc/snort/rules/attack-responses.rules:alert tcp $HOME_NET 22 ->
$EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit
uname"; flow:from_server,established; content:"uname";
reference:bugtraq,5093; reference:cve,2002-0390;
reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack;
sid:1811; rev:9;
First of all, since ssh sessions are encrypted, I should never see a
packet content of "uname" in non-encrypted format. Am I missing
something fundamental in here or it's just a Monday morning?
Secondly, this signature is recorded in 2 packets by BASE, but neither
packets nor their combine contents contain "uname" in it, so what
exactly triggered this signature? Many thanks!
I am running BASE 1.2.5 and Snort 2.4.5
HinSuk
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
eric.hines.vcf
Description: Vcard
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
