[Oisf-devel] FPs with IPv4 more Fragment flag on suricata v121

rmkml rmkml at yahoo.fr
Tue Jan 24 21:10:46 UTC 2012 

Hi Peter,
You are right, I have missed these rules: (partial/special emerging threats with my pcap example)

alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; classtype:attempted-admin; reference:bugtraq,2540; reference:cve,2001-0414; sid:2100312; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; classtype:attempted-recon; reference:bugtraq,16267; reference:cve,2006-0250; 
reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; sid:100000227; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"GPL GAMES Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL EXPLOIT EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; classtype:attempted-dos; 
reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; sid:100000180; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"GPL GAMES Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:2;)

can you retest with all rules please?
Regards
Rmkml



On Tue, 24 Jan 2012, Peter Manev wrote:

> Hi,
> Suricata 1.2.1 behaves as expected - there is no alerts fired.
> If you would like, you can share your yaml privately for further investigation.
> 
> Thanks for your help
> 
> On Tue, Jan 24, 2012 at 12:45 AM, rmkml <rmkml at yahoo.fr> wrote:
>       Hi,
>       Im curious with this joigned pcap file on suricata v1.2.1, FP signatures example:
>        alert udp any any -> any 162 (msg:"suricata snmp trap udp"; dsize:0; classtype:attempted-recon; sid:9104192; rev:1;)
>       another FP signature with same pcap:
>        alert udp any any -> any 5060 (msg:"suricata sip udp "; dsize:0; classtype:misc-attack; sid:9104843; rev:1; )
>       ...
>       Anyone check/confirm please? if yes Im open a new redmine ticket.
>       No alert with snort.
>
>       Tshark partial output:
>       ...
>       Internet Protocol Version 4, Src: 172.20.2.131 (172.20.2.131), Dst: 172.20.2.51 (172.20.2.51)
>        Version: 4
>        Header length: 20 bytes
>        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
>        Total Length: 1500
>        Identification: 0x7709 (30473)
>        Flags: 0x01 (More Fragments)
>           0... .... = Reserved bit: Not set
>           .0.. .... = Don't fragment: Not set
>           ..1. .... = More fragments: Set
>        Fragment offset: 0
>        Time to live: 128
>        Protocol: UDP (17)
>        Header checksum: 0x4129 [correct]
>        Source: 172.20.2.131 (172.20.2.131)
>        Destination: 172.20.2.51 (172.20.2.51)
>       Data (1480 bytes)
>       ...
>
>       Happy Detect.
>       Regards
>       Rmkml
>
>       http://twitter.com/rmkml
>       _______________________________________________
>       Oisf-devel mailing list
>       Oisf-devel at openinfosecfoundation.org
>       http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> 
> 
> 
> 
> --
> Peter Manev
> 
>

More information about the Oisf-devel mailing list