Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Snort signature and standalone detection tool SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snort signature and standalone detection tool
(Kyle Haugsness)  As promised, here is a Snort signature to detect exploit attempts against the Back Orifice pre-processor vulnerability announced this week.  There is a fatal flaw with this signature, which will reduce its overall effectiveness when the attackers get smarter.  But I'm not going to disclose the fatal flaw.  In order to avoid the fatal flaw and detect all attacks, you will need to run the standalone program that is available here: http://handlers.sans.org/khaugsness/

Here's the Snort signature.  Don't forget to turn off the BO pre-processor in snort.conf if you are running a vulnerable version!  Also, don't forget to change the "sid" field below...

alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
rev:1; \
)



Kyle

112 Posts
Oct 21st 2005

Sign Up for Free or Log In to start participating in the conversation!