Project

General

Profile

Actions

Bug #207

closed

False Negative related to use of depth/offset when processing the attached pcap

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Even though I believe that the rule author mis-understands the use of depth/offset This rule should still fire. In snort this rule fires, in suricata it doesn't. The very bizarre thing about this issue is that if you modify depth in the following part of the rule to be any other value greater than 7 except for 32 - 35 the sig fires. Why do we miss these bytes? Even if I set relative depth to something like 5000 the sig fires.

content: "|00 00 00 03|"; offset: 28; depth: 32;

alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; classtype:attempted-recon; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec; sid:2002068; rev:8;)

0000 80 00 00 24 00 00 00 01 4c 36 76 f7 00 00 00 00
0010 00 00 05 02 00 00 00 00 00 00 00 00 00 00 00 00
0020 00 00 00 03 00 00 00 00

src/suricata -s 2002068.rules -l ./ -c suricata.yaml -r ../metasploit-tests/backupexec_90_remote_agent_overflow.pcap


Files

backupexec_90_remote_agent_overflow.pcap (10.8 KB) backupexec_90_remote_agent_overflow.pcap backup exec metasploit overflow attempt Will Metcalf, 07/09/2010 08:38 AM
2002068.rules (527 Bytes) 2002068.rules ET backup exec rule Will Metcalf, 07/09/2010 08:38 AM
0001-Fix-for-bug-207-depth-offset-not-correctly-updated-o.patch (12.1 KB) 0001-Fix-for-bug-207-depth-offset-not-correctly-updated-o.patch We were not handling correctly the combination of depth/offset on certain cases. The attached patch fix this issue. Pablo Rincon, 07/21/2010 01:32 PM
Actions

Also available in: Atom PDF