Snort mailing list archives
Sig for openssl exploit
From: Shane Williams <shanew () shanew net>
Date: Mon, 16 Sep 2002 13:03:55 -0500 (CDT)
I've taken Brian Coyle's initial sig (which was really meant to detect probing) and altered it to instead detect the actual attack. The sid is decremented to note the difference. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS https (msg:"OpenSSL worm attack"; flags:A+; content:"export TERM=xterm\; exec bash -i"; nocase;sid:9999998; classtype:web-application-attack; rev:1 ;reference:url,www.cert.org/advisories/CA-2002-27.html;) I've tested this rule over two weeks of traffic and got one confirmed positive, but no false positives. I doubt there any false negatives, since there are no other signs of an infected machine in that time, but it's possible. Note that there appear to be a number of unique strings in this worm attack, so I picked one of the first that was long enough and seemed unique enough to work. There is, in particular, a section of the worm where it executes its first commands, but I decided that this would be the first section to change if a new variant appears. In any case, here's an excerpt from a dump showing the relevant portions of the attack. 02:51:00.544318 p3EE22483.dip.t-dialin.net.4053 > legacy.gslis.utexas.edu.https: P 561:605(44) ack 1147 win 7630 <nop,nop,timestamp 56619696 256333814> (DF) 0x0000 4500 0060 56ac 4000 3106 1692 3ee2 2483 E..`V.@.1...>.$. 0x0010 8053 f8a1 0fd5 01bb 6a10 a982 b61f 10d1 .S......j....... 0x0020 8018 1dce 8bb3 0000 0101 080a 035f f2b0 ............._.. 0x0030 0f47 57f6 5445 524d 3d78 7465 726d 3b20 .GW.TERM=xterm;. 0x0040 6578 706f 7274 2054 4552 4d3d 7874 6572 export.TERM=xter 0x0050 6d3b 2065 7865 6320 6261 7368 202d 690a m;.exec.bash.-i. 02:51:00.584318 legacy.gslis.utexas.edu.https > p3EE22483.dip.t-dialin.net.4053: . ack 605 win 6432 <nop,nop,timestamp 256333835 56619696> (DF) 0x0000 4500 0034 5bdf 4000 4006 028b 8053 f8a1 E..4[.@.@....S.. 0x0010 3ee2 2483 01bb 0fd5 b61f 10d1 6a10 a9ae >.$.........j... 0x0020 8010 1920 37a1 0000 0101 080a 0f47 580b ....7........GX. 0x0030 035f f2b0 ._.. 02:51:00.614318 legacy.gslis.utexas.edu.https > p3EE22483.dip.t-dialin.net.4053: P 1147:1182(35) ack 605 win 6432 <nop,nop,timestamp 256333837 56619696> (DF) 0x0000 4500 0057 5be0 4000 4006 0267 8053 f8a1 E..W[.@.@..g.S.. 0x0010 3ee2 2483 01bb 0fd5 b61f 10d1 6a10 a9ae >.$.........j... 0x0020 8018 1920 49f3 0000 0101 080a 0f47 580d ....I........GX. 0x0030 035f f2b0 6261 7368 3a20 6e6f 206a 6f62 ._..bash:.no.job 0x0040 2063 6f6e 7472 6f6c 2069 6e20 7468 6973 .control.in.this 0x0050 2073 6865 6c6c 0a .shell. 02:51:00.794318 p3EE22483.dip.t-dialin.net.4053 > legacy.gslis.utexas.edu.https: P 605:1457(852) ack 1147 win 7630 <nop,nop,timestamp 56619716 256333835> (DF) 0x0000 4500 0388 56ad 4000 3106 1369 3ee2 2483 E...V.@.1..i>.$. 0x0010 8053 f8a1 0fd5 01bb 6a10 a9ae b61f 10d1 .S......j....... 0x0020 8018 1dce 0945 0000 0101 080a 035f f2c4 .....E......._.. 0x0030 0f47 580b 726d 202d 7266 202f 746d 702f .GX.rm.-rf./tmp/ 0x0040 2e62 7567 7472 6171 2e63 3b63 6174 203e .bugtraq.c;cat.> 0x0050 202f 746d 702f 2e75 7562 7567 7472 6171 ./tmp/.uubugtraq 0x0060 203c 3c20 5f5f 656f 665f 5f3b 0a62 6567 .<<.__eof__;.beg 0x0070 696e 2036 3535 202e 6275 6774 7261 712e in.655..bugtraq. 0x0080 630a 4d2b 5248 4a2a 4248 4a2a 4248 4a2a c.M+RHJ*BHJ*BHJ* 0x0090 4248 4a2a 4248 4a2a 4248 4a2a 4248 4a2a BHJ*BHJ*BHJ*BHJ* 0x00a0 4248 4a2a 4248 4a2a 4248 4a2a 4248 4a2a BHJ*BHJ*BHJ*BHJ* 0x00b0 4248 4a2a 4248 4a2a 4248 4a2a 4248 4a0a BHJ*BHJ*BHJ*BHJ. 0x00c0 4d2a 4248 4a2a 4248 4a2a 4248 4a2a 4248 M*BHJ*BHJ*BHJ*BH 0x00d0 4a2a 4248 4a2a 4248 4a2a 4248 4a2a 4248 J*BHJ*BHJ*BHJ*BH 0x00e0 4a2a 4248 4a2a 4248 4a2a 4248 2d22 425c J*BHJ*BHJ*BH-"B\ 0x00f0 604a 2822 5c60 4028 225c 6040 2822 5c60 `J("\`@("\`@("\` 0x0100 400a 4d28 225c 6040 2822 5c60 4028 225c @.M("\`@("\`@("\ 0x0110 6040 2822 5c60 4028 225c 6040 2822 5c60 `@("\`@("\`@("\` 0x0120 4028 225c 6040 2822 5c60 4028 225c 6040 @("\`@("\`@("\`@ 0x0130 2822 5c60 4028 225c 6040 2822 5c60 4028 ("\`@("\`@("\`@( 0x0140 225c 6040 2822 5c60 4028 225c 6040 0a4d "\`@("\`@("\`@.M 0x0150 2822 5c60 4028 225c 6040 2822 5c60 4028 ("\`@("\`@("\`@( -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sig for openssl exploit Shane Williams (Sep 16)