Snort community rule triggering

lazyleopard · Post by **lazyleopard** » Tue Jan 24, 2006 2:31 pm

I've been trying the new zone editing stuff from work, using Mozilla from Linux. Very nifty, and I now have zones that conform to the geography much better than before.

One thing I've noticed is that the one editing seems to trip one of the Snort community rules:

Code: Select all

community-web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;) sid-msg.map:100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646

Just a heads-up for folks working through a snort-monitored gateway that it may appear to the admins that you're involved in some skullduggery...

Post by **zoneminder** » Tue Jan 24, 2006 2:57 pm

Interesting. Do you know what that message actually means? How can I try and figure out what it might be objecting to.

(hoping no-one discovers the secret backdoor in 1.22.0

)

lazyleopard · Post by **lazyleopard** » Tue Jan 24, 2006 5:00 pm

I've been trying to figure it out. I suspect that particular rule isn't quite specific enough to catch only exploit attempts. The rule matches on packets if:

They are part of an established connection and coming to a server on an HTTP port.
They contain the character 0x3A. (One of these ":"

)
They match the regular expression "/^.*\x3a[^\n]{1000}/sm"

I think that last expression means that the 0x3A is followed by at least 1000 non-newline characters.

lazyleopard · Post by **lazyleopard** » Tue Jan 24, 2006 5:23 pm

That's a perl-type regular expression, so the trailing "sm" means match whether the rest of the packet is a single line or multiple lines. I guess exactly what happens depends on what snort considers an end-of-line within a packet.

The CVE entry is here: http://www.cve.mitre.org/cgi-bin/cvenam ... =2004-0646

Post by **zoneminder** » Tue Jan 24, 2006 8:18 pm

Well that url helps!

What was it you were doing to trigger the alert?

lazyleopard · Post by **lazyleopard** » Tue Jan 24, 2006 10:46 pm

It seems to be the zone shape editing. I think the reason that rule triggers is the length of the referrer information. Here's one line from the apace log that corresponds to one of those alerts:

Code: Select all

workstation.domain.com - - [24/Jan/2006:14:42:11 +0000] "GET /zm/images/Back-Zones.jpg?1138113729 HTTP/1.1" 200 111298 "http://camera.host.name/zm/index.php?view=zone&action=&subaction=&mid=6&zid=8
&new_zone%5BNumCoords%5D=10
&new_zone%5BCoords%5D=130%2C221+703%2C220+735%2C262+696%2C363+493%2C403+215%2C425+0%2C425+21%2C362+96%2C338+122%2C279
&new_zone%5BArea%5D=115658
&new_zone%5BAlarmRGB%5D=16711680
&new_zone%5BName%5D=Lawn
&new_zone%5BType%5D=Active
&presetSelector=0
&new_zone%5BUnits%5D=Pixels
&new_alarm_rgb_r=255
&new_alarm_rgb_g=0&new_alarm_rgb_b=0
&new_zone%5BCheckMethod%5D=Blobs
&new_zone%5BMinPixelThreshold%5D=20
&new_zone%5BMaxPixelThreshold%5D=0
&new_zone%5BFilterX%5D=7
&new_zone%5BFilterY%5D=7
&new_zone%5BMinAlarmPixels%5D=200
&new_zone%5BMaxAlarmPixels%5D=5000
&new_zone%5BMinFilterPixels%5D=180
&new_zone%5BMaxFilterPixels%5D=4000
&new_zone%5BMinBlobPixels%5D=90
&new_zone%5BMaxBlobPixels%5D=2200
&new_zone%5BMinBlobs%5D=1
&new_zone%5BMaxBlobs%5D=3
&new_zone%5BPoints%5D%5B0%5D%5Bx%5D=130
&new_zone%5BPoints%5D%5B0%5D%5By%5D=221
&new_zone%5BPoints%5D%5B2%5D%5Bx%5D=735
&new_zone%5BPoints%5D%5B2%5D%5By%5D=262
&new_zone%5BPoints%5D%5B4%5D%5Bx%5D=493
&new_zone%5BPoints%5D%5B4%5D%5By%5D=403
&new_zone%5BPoints%5D%5B6%5D%5Bx%5D=0
&new_zone%5BPoints%5D%5B6%5D%5By%5D=425
&new_zone%5BPoints%5D%5B8%5D%5Bx%5D=96
&new_zone%5BPoints%5D%5B8%5D%5By%5D=338
&new_zone%5BPoints%5D%5B1%5D%5Bx%5D=703
&new_zone%5BPoints%5D%5B1%5D%5By%5D=221
&new_zone%5BPoints%5D%5B3%5D%5Bx%5D=696
&new_zone%5BPoints%5D%5B3%5D%5By%5D=363
&new_zone%5BPoints%5D%5B5%5D%5Bx%5D=215
&new_zone%5BPoints%5D%5B5%5D%5By%5D=425
&new_zone%5BPoints%5D%5B7%5D%5Bx%5D=21
&new_zone%5BPoints%5D%5B7%5D%5By%5D=362
&new_zone%5BPoints%5D%5B9%5D%5Bx%5D=122
&new_zone%5BPoints%5D%5B9%5D%5By%5D=279" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040115"

I've sliced that up so that it doesn't stretch half a mile off to the right, but it's actually all one line in the log file.

Post by **zoneminder** » Tue Jan 24, 2006 11:06 pm

Ah, ok. Possibly that form might work better using POST. I'll check it still works if that's the case and if so change it.

lazyleopard · Post by **lazyleopard** » Wed Jan 25, 2006 8:31 am

Incidentally, webalizer moaned pathetically this morning, thus:

Code: Select all

Reading history file... webalizer.hist
Reading previous run data.. webalizer.current
2923 records (2923 ignored) in 0.20 seconds
Warning: Truncating oversized request field
Warning: Truncating oversized referrer field
Warning: Truncating oversized referrer field
Warning: Truncating oversized referrer field
...

...and so on for a couple of thousand lines.