Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Snort signature and standalone detection tool SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snort signature and standalone detection tool
(Kyle Haugsness)  As promised, here is a Snort signature to detect exploit attempts against the Back Orifice pre-processor vulnerability announced this week.  There is a fatal flaw with this signature, which will reduce its overall effectiveness when the attackers get smarter.  But I'm not going to disclose the fatal flaw.  In order to avoid the fatal flaw and detect all attacks, you will need to run the standalone program that is available here: http://handlers.sans.org/khaugsness/

Here's the Snort signature.  Don't forget to turn off the BO pre-processor in snort.conf if you are running a vulnerable version!  Also, don't forget to change the "sid" field below...

alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
rev:1; \
)



Kyle

112 Posts

Sign Up for Free or Log In to start participating in the conversation!