Posts Tagged ‘IPS’

Ourmon and Snort 2.8.1 Released

Friday, April 4th, 2008

I noticed Ourmon 2.8.1 is quietly released on 21 March 2008. This bug-fix release fixes the bugs that I have reported previously, and my name is in the release note. The IP blacklist config takes 3 argument now, this helps when you have multiple blacklists, so you immediately tell which blacklist caused the message, but I am yet to test this feature.
For example in ourmon.conf:

blist_include "irc"  /home/mrourmon/etc/ipblacklist.txt

Snort LogoSnort, an open source network intrusion prevention and detection system, releases version 2.8.1. I got a 404 error while I was trying to download Snort 2.8.0.2 yesterday and noticed the file was not there anymore. Within few minutes, the Snort download page was refreshed and replaced with new v2.8.1 package. Coincidentally, the release version number is same with Ourmon latest bug-fix release. In v2.8.1, one of the new additions is the ability to read multiple pcaps from the command line, which I have usually done with Argus. Here is the sample:

[root@nsm /]# snort -dv -r irc1.pcap -r irc2.pcap | less
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
TCPDUMP file reading mode.
Reading network traffic from "irc1.pcap" file.
snaplen = 65535

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.1 (Build 28)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.6 2008-01-28

Not Using PCAP_FRAMES
07/11-08:00:32.312306 192.168.128.86:6667 -> 10.1.2.177:32793
TCP TTL:40 TOS:0x0 ID:51682 IpLen:20 DgmLen:91 DF
***AP*** Seq: 0xB368B2EB  Ack: 0xE79F2A5  Win: 0xB50  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2184210158 757152
3A 62 6D 77 30 37 21 34 76 71 74 71 74 34 40 38  :bmw07!4vqtqt4@8
32 2E 37 39 2E 38 37 2E 37 39 20 4A 4F 49 4E 20  2.79.87.79 JOIN
23 61 6C 62 61 0D 0A                                               #alba..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Intelligent IPS

Friday, April 4th, 2008

Some time ago, I have informed my colleague to report an issue that URL request to retrieve Awstats of one domain has been blocked by Intrusion Prevention System (IPS) of the Data Center, because I don’t see my request is received by web server. For example, http://192.168.123.123/awstats/cgi-bin/awstats.pl?config=[DOMAIN NAME] , as long as your domain name contains the word “system”, then your request is blocked.

This is their first reply (I just copied and pasted here) from the Data Center Support:

I beleive this is application issue and something to do at your end/server, please check. All your IP able to ping, we didnt block anything sort of application.

OK, fine, usual reply. We know he is one of those high position technical members, we tried to clarify that with few URLs with explanation, then his next reply:

I’ve checked already at my IPS. Your application hit one of our filter and has been blocked, pls refer below filter description

Severity : Critical
Description : This filter detects an attempt to exploit an input validation vulnerability present in the AWStats log analyzer. If successfully exploited, and attacker could execute arbitrary code on the affected web server.

Great, just as what I have suspected. So, I have replied him this is most probably a false positive, is it possible to disable the signature, or improve the signature? But I got a reply:

The IPS block a valid request, thats mean there is a vulnerability with your AWStats.

WTF? Does that mean their IPS is so intelligent and it can detect the latest Awstats version installation has a vulnerability? I have requested them to provide the full packets detail, which shows I am trying to do arbitrary code execution or maybe I can inform Awstats on the “vulnerability”.

Finally he replied:

Pls find the attachment a log from our IPS (It contains a few lines of successful URL blocking, with source and destination IP, severality, hits, that’s all). However we will consult with our vendor to determine the ’signature’ from our IPS.

I think I need to wait at least for a few weeks before get this resolved.