Snort mailing list archives
Re: Snort-sigs Digest, Vol 100, Issue 8
From: Tarzan538 NONO <sfalaptops () hotmail com>
Date: Wed, 24 Sep 2014 13:17:40 -0400
Hi Simon, Here is my classification file; # $Id: classification.config,v 1.5 2013/05/28 16:19:02 jesler Exp $# The following includes information for prioritizing rules# # Each classification includes a shortname, a description, and a default# priority for that classification.## This allows alerts to be classified and prioritized. You can specify# what priority each classification has. Any rule can override the default# priority for that rule.## Here are a few example rules:# # alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; # dsize: > 128; classtype:attempted-admin; priority:10;## alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \# content:"expn root"; nocase; classtype:attempted-recon;)## The first rule will set its type to "attempted-admin" and override # the default priority for that type to 10.## The second rule set its type to "attempted-recon" and set its# priority to the default for that type.# ## config classification:shortname,short description,priority# config classification: not-suspicious,Not Suspicious Traffic,3config classification: unknown,Unknown Traffic,3config classification: bad-unknown,Potentially Bad Traffic, 2config classification: attempted-recon,Attempted Information Leak,2config classification: successful-recon-limited,Information Leak,2config classification: successful-recon-largescale,Large Scale Information Leak,2config classification: attempted-dos,Attempted Denial of Service,2config classification: successful-dos,Denial of Service,2config classification: attempted-user,Attempted User Privilege Gain,1config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1config classification: successful-user,Successful User Privilege Gain,1config classification: attempted-admin,Attempted Administrator Privilege Gain,1config classification: successful-admin,Successful Administrator Privilege Gain,1 # NEW CLASSIFICATIONSconfig classification: rpc-portmap-decode,Decode of an RPC Query,2config classification: shellcode-detect,Executable Code was Detected,1config classification: string-detect,A Suspicious String was Detected,3config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2config classification: system-call-detect,A System Call was Detected,2config classification: tcp-connection,A TCP Connection was Detected,4config classification: trojan-activity,A Network Trojan was Detected, 1config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2config classification: network-scan,Detection of a Network Scan,3config classification: denial-of-service,Detection of a Denial of Service Attack,2config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2config classification: protocol-command-decode,Generic Protocol Command Decode,3config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2config classification: web-application-attack,Web Application Attack,1config classification: misc-activity,Misc activity,3config classification: misc-attack,Misc Attack,2config classification: icmp-event,Generic ICMP event,3config classification: inappropriate-content,Inappropriate Content was Detected,1config classification: policy-violation,Potential Corporate Privacy Violation,1config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2config classification: sdf,Sensitive Data was Transmitted Across the Network,2config classification: file-format,Known malicious file or file based exploit,1config classification: malware-cnc,Known malware command and control traffic,1config classification: client-side-exploit,Known client side exploit attempt,1 Here is my snort.config (Step #6). #################################################### Step #6: Configure output plugins# For more information, see Snort Manual, Configuring Snort - Output Modules################################################### # unified2 # Recommended for most installs# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs# output alert_unified2: filename snort.alert, limit 128, nostamp# output log_unified2: filename snort.log, limit 128, nostamp # syslog# output alert_syslog: LOG_AUTH LOG_ALERT # pcap# output log_tcpdump: tcpdump.log # metadata reference data. do not modify these linesinclude C:\Snort\etc\classification.configinclude C:\Snort\etc\reference.config Thank you, Felix
Message: 2 Date: Wed, 24 Sep 2014 09:51:14 +0100 From: "Simon Wesseldine" <simon.wesseldine () idappcom com> Subject: Re: [Snort-sigs] Snort Rules Issues To: <snort-sigs () lists sourceforge net> Message-ID: <000601cfd7d4$b37d5dd0$1a781970$@wesseldine () idappcom com> Content-Type: text/plain; charset="us-ascii" Hi Felix, You should have the following line, in step 6 of your snort.conf file: include classification.config There should be a line in your classification.config file that looks like this: config classification: web-application-attack,Web Application Attack,1 You may have an outdated classifiction.config file that does not include all the new classifications. # NEW CLASSIFICATIONS config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable Code was Detected,1 config classification: string-detect,A Suspicious String was Detected,3 config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2 config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2 config classification: system-call-detect,A System Call was Detected,2 config classification: tcp-connection,A TCP Connection was Detected,4 config classification: trojan-activity,A Network Trojan was Detected, 1 config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: inappropriate-content,Inappropriate Content was Detected,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2 config classification: sdf,Sensitive Data was Transmitted Across the Network,2 config classification: file-format,Known malicious file or file based exploit,1 config classification: malware-cnc,Known malware command and control traffic,1 config classification: client-side-exploit,Known client side exploit attempt,1 I hope that helps. Best regards, Simon. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Wed, 24 Sep 2014 08:37:34 -0400 From: Joe Gedeon <joe.gedeon () gmail com> Subject: [Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe Flash exploit payload request To: snort-sigs () lists sourceforge net Message-ID: <CAM1A6KxG4WYMjxc-MpWX4iR-agi_uqhkqrv1QZ=iEvatybQxgA () mail gmail com> Content-Type: text/plain; charset="utf-8" With this new signature we are getting quite a few false positives for this signature. Looking at the documentation linked in the signature it seems the section about not having a referrer was common in these. Is there documentation that shows a recent version of the Astrum exploit kit is now accepting requests with referrers in the header? "with Astrum : show a referer and you'll get ignored and IP banned. Firefox, Chrome and Opera are also ignored" It seems this rule is completely missing the exploit attempt and is creating a high number of false positives. A sample ascii packet that the rule is triggering on: 07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto TCP (6), length 1052) 192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e (correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012 E...J.@................P......[.P...a~..GET /v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd. HTTP/1.1 Accept: */* Accept-Language: en-US Referer: http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250& x-flash-version: 11,8,800,175 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0;) Host: brxserv-20.btrll.com Connection: Keep-Alive Cookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ; MEB=BUqRdAABPPEAOtI8AAHejA -- Registered Linux User # 379282 -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! End of Snort-sigs Digest, Vol 100, Issue 8 ******************************************
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-sigs Digest, Vol 100, Issue 8 Tarzan538 NONO (Sep 24)