False alerts for ET SHELLCODE Common 0a0a0a0a Heap Spray String
6,122 views
Skip to first unread message
Jeff
Jun 5, 2015, 1:22:27 PM6/5/15
to securit...@googlegroups.com
I occasionally get alerts for ET SHELLCODE Common 0a0a0a0a Heap Spray String (SID 2012252)
When I download the pcap with CapMe I can't find any content that matches the rule. I sent a pcap to one of the ET guys and he verified that the traffic should not be triggering this alert.
Prior to running Security Onion I was running Snort on my pfSense and I have not yet disabled it. I checked the Snort logs on the pfSense and it does not log an alert for this traffic and rule. (But it otherwise is logging the same alerts as SO).
Any idea why Security Onion would be generating alerts from traffic that doesn't match this rule. I can send a pcap off list if anyone would like to look at it.
When I download the pcap with CapMe I can't find any content that matches the rule. I sent a pcap to one of the ET guys and he verified that the traffic should not be triggering this alert.
Prior to running Security Onion I was running Snort on my pfSense and I have not yet disabled it. I checked the Snort logs on the pfSense and it does not log an alert for this traffic and rule. (But it otherwise is logging the same alerts as SO).
Any idea why Security Onion would be generating alerts from traffic that doesn't match this rule. I can send a pcap off list if anyone would like to look at it.
Doug Burks
Jun 9, 2015, 2:47:14 PM6/9/15
to securit...@googlegroups.com
Hi Jeff,
Security Onion includes a standard Snort engine with a standard
snort.conf, so I can't think of any reason why it would generate false
positives on a simple content match like this.
Here's SID 2012252 from http://doc.emergingthreats.net/bin/view/Main/2012252:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
SHELLCODE Common 0a0a0a0a Heap Spray String";
flow:established,to_client; content:"0a0a0a0a"; nocase;
fast_pattern:only;
reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html;
classtype:shellcode-detect; sid:2012252; rev:1;)
Does that match what you get if you run the following command?
grep 2012252 /etc/nsm/rules/downloaded.rules
Have you compared your snort.conf files to see if there are any
differences between the one on your pfSense box and your Security
Onion box?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Security Onion includes a standard Snort engine with a standard
snort.conf, so I can't think of any reason why it would generate false
positives on a simple content match like this.
Here's SID 2012252 from http://doc.emergingthreats.net/bin/view/Main/2012252:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
SHELLCODE Common 0a0a0a0a Heap Spray String";
flow:established,to_client; content:"0a0a0a0a"; nocase;
fast_pattern:only;
reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html;
classtype:shellcode-detect; sid:2012252; rev:1;)
Does that match what you get if you run the following command?
grep 2012252 /etc/nsm/rules/downloaded.rules
Have you compared your snort.conf files to see if there are any
differences between the one on your pfSense box and your Security
Onion box?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Jeff
Jun 9, 2015, 5:26:04 PM6/9/15
to securit...@googlegroups.com
Hi Doug,
Yes, my rule 2012252 matches what is on the ET site. I tried comparing the SO snort.conf and pfSense snort.conf but the pfSense seems to be pretty custom so it's hard to compare.
That said, analyzing the traffic captured I don't see the "0a0a0a0a" anywhere in the capture. I was chatting with one of the ET guys a while back and he looked at a pcap of mine and said it didn't match the rule and didn't alert on his system.
Jeff
On Tuesday, June 9, 2015 at 11:47:14 AM UTC-7, Doug Burks wrote:
> Hi Jeff,
>
> Security Onion includes a standard Snort engine with a standard
> snort.conf, so I can't think of any reason why it would generate false
> positives on a simple content match like this.
>
> Here's SID 2012252 from http://doc.emergingthreats.net/bin/view/Main/2012252:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> SHELLCODE Common 0a0a0a0a Heap Spray String";
> flow:established,to_client; content:"0a0a0a0a"; nocase;
> fast_pattern:only;
> reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html;
> classtype:shellcode-detect; sid:2012252; rev:1;)
>
> Does that match what you get if you run the following command?
> grep 2012252 /etc/nsm/rules/downloaded.rules
>
> Have you compared your snort.conf files to see if there are any
> differences between the one on your pfSense box and your Security
> Onion box?
>
Yes, my rule 2012252 matches what is on the ET site. I tried comparing the SO snort.conf and pfSense snort.conf but the pfSense seems to be pretty custom so it's hard to compare.
That said, analyzing the traffic captured I don't see the "0a0a0a0a" anywhere in the capture. I was chatting with one of the ET guys a while back and he looked at a pcap of mine and said it didn't match the rule and didn't alert on his system.
Jeff
On Tuesday, June 9, 2015 at 11:47:14 AM UTC-7, Doug Burks wrote:
> Hi Jeff,
>
> Security Onion includes a standard Snort engine with a standard
> snort.conf, so I can't think of any reason why it would generate false
> positives on a simple content match like this.
>
> Here's SID 2012252 from http://doc.emergingthreats.net/bin/view/Main/2012252:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> SHELLCODE Common 0a0a0a0a Heap Spray String";
> flow:established,to_client; content:"0a0a0a0a"; nocase;
> fast_pattern:only;
> reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html;
> classtype:shellcode-detect; sid:2012252; rev:1;)
>
> Does that match what you get if you run the following command?
> grep 2012252 /etc/nsm/rules/downloaded.rules
>
> Have you compared your snort.conf files to see if there are any
> differences between the one on your pfSense box and your Security
> Onion box?
>
Doug Burks
Jun 10, 2015, 7:35:01 AM6/10/15
to securit...@googlegroups.com
How did you pivot to the capture?
How were you analyzing the capture?
Did the capture contain any gzip encoding?
Are you able to provide a sanitized pcap or transcript?
How were you analyzing the capture?
Did the capture contain any gzip encoding?
Are you able to provide a sanitized pcap or transcript?
Jeff
Jun 10, 2015, 11:36:26 AM6/10/15
to securit...@googlegroups.com
Hi Doug,
Replies inline
On Wednesday, June 10, 2015 at 4:35:01 AM UTC-7, Doug Burks wrote:
> How did you pivot to the capture?
Snorby -> Packet Capture Options -> Custom -> CapMe -> download pcap
> How were you analyzing the capture?
Opened pcap from CapMe in Wireshark. Searched for both "0a0a" and "0A0A" as ASCII and "30 61 30 61" as Hex.
> Did the capture contain any gzip encoding?
Yes
> Are you able to provide a sanitized pcap or transcript?
Yes, I will send pcap offlist
Replies inline
On Wednesday, June 10, 2015 at 4:35:01 AM UTC-7, Doug Burks wrote:
> How did you pivot to the capture?
> How were you analyzing the capture?
> Did the capture contain any gzip encoding?
> Are you able to provide a sanitized pcap or transcript?
Doug Burks
Jun 11, 2015, 10:20:38 AM6/11/15
to securit...@googlegroups.com
I have a feeling this may be due to the png images in the stream:
https://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/012079.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/012079.html
Kevin Branch
Jun 12, 2015, 11:28:31 AM6/12/15
to securit...@googlegroups.com
If there was gzip encoding involved, then I would presume you won't find the search strings in Wireshark because those strings are gzip encoded in the stream. I believe Snort/Suricata can decode gzipped stream content before searching for string matches. To manually confirm you have a match, you could take your pcap and feed it through a file carver like
which decodes gzipped stream content.
Or even easier, just use Wireshark's native http export capability to export the stream as decoded content:
Kevin
On Wed, Jun 10, 2015 at 11:36 AM, Jeff <jeffh...@gmail.com> wrote:
00c...@gmail.com
Dec 4, 2015, 5:14:30 PM12/4/15
to security-onion
I believe you should be searching the packet for HEX 0a0a0a0a and you will find the string. Shellcode signatures are usually represented as HEX values not ASCII.
Regards.
Reply all
Reply to author
Forward
0 new messages