Suricata-vs-snort/Test-cases/Client-side-attacks

From aldeid
Jump to navigation Jump to search
You are here:
Client-side attacks

Description

The tests have consisted in downloading 257 malicious documents (download) commonly used for client-side attacks from the server (wget).

Synthesis

Suricata Snort
Number of files sent 257 257
Number of detected files 127 157
Number of triggered alerts 210 374
Detection rate 49.41% 61.09%

Triggered alerts

Suricata

[**] [1:10504:2] SHELLCODE unescape encoded shellcode [**] 3
[**] [1:12799:3] SHELLCODE base64 x86 NOOP [**] 2
[**] [1:12802:3] SHELLCODE base64 x86 NOOP [**] 2
[**] [1:1394:12] SHELLCODE x86 inc ecx NOOP [**] 26
[**] [1:15306:6] WEB-CLIENT Portable Executable binary file transfer [**] 4
[**] [1:15357:4] WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt [**] 3
[**] [1:16676:1] SPECIFIC-THREATS Adobe Reader malformed FlateDecode colors declaration [**] 6
[**] [1:16677:1] WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration [**] 1
[**] [1:17233:1] SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt [**] 1
[**] [1:17668:1] POLICY attempted download of a PDF with embedded JavaScript [**] 122
[**] [1:17808:1] SPECIFIC-THREATS Adobe Flash authplay.dll memory corruption attempt [**] 2
[**] [1:2012064:1] ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow [**] 4
[**] [1:648:10] SHELLCODE x86 NOOP [**] 34
TOTAL 210

Snort

[**] [1:10504:2] SHELLCODE unescape encoded shellcode [**] 3
[**] [1:12799:3] SHELLCODE base64 x86 NOOP [**] 9
[**] [1:12802:3] SHELLCODE base64 x86 NOOP [**] 9
[**] [1:13478:1] SPECIFIC-THREATS Adobe PDF collab.collectEmailInfo exploit attempt [**] 1
[**] [1:1394:12] SHELLCODE x86 inc ecx NOOP [**] 69
[**] [1:15306:6] WEB-CLIENT Portable Executable binary file transfer [**] 4
[**] [1:15357:4] WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt [**] 3
[**] [1:15697:1] WEB-CLIENT Generic javascript obfuscation attempt [**] 2
[**] [1:15698:2] WEB-CLIENT Possible generic javascript heap spray attempt [**] 1
[**] [1:16642:1] POLICY File URI scheme [**] 38
[**] [1:16664:1] SPECIFIC-THREATS Adobe Reader and Acrobat authplay.dll vulnerability exploit attempt [**] 2
[**] [1:16676:1] SPECIFIC-THREATS Adobe Reader malformed FlateDecode colors declaration [**] 6
[**] [1:16677:1] WEB-CLIENT Adobe Reader malformed FlateDecode colors declaration [**] 1
[**] [1:17233:1] SPECIFIC-THREATS Adobe Reader and Acrobat TTF SING table parsing remote code execution attempt [**] 1
[**] [1:17668:1] POLICY attempted download of a PDF with embedded JavaScript [**] 132
[**] [1:17808:1] SPECIFIC-THREATS Adobe Flash authplay.dll memory corruption attempt [**] 2
[**] [1:18167:1] WEB-CLIENT Possible generic javascript heap spray attempt [**] 1
[**] [1:18168:1] WEB-CLIENT Possible generic javascript heap spray attempt [**] 2
[**] [1:3820:7] WEB-CLIENT multipacket CHM file transfer attempt [**] 1
[**] [1:3821:8] WEB-CLIENT CHM file transfer attempt [**] 1
[**] [1:648:10] SHELLCODE x86 NOOP [**] 62
[**] [1:7200:2] WEB-CLIENT microsoft word document summary information null string overflow attempt [**] 1
[**] [1:8445:2] WEB-CLIENT RTF file with embedded object package download attempt [**] 3
[**] [3:15503:1] WEB-CLIENT Download of PowerPoint 95 file [**] 2
[**] [3:16343:5] WEB-CLIENT obfuscated header in PDF [**] 15
[**] [3:17775:2] SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected [**] 1
[**] [3:18543:2] SPECIFIC-THREATS embedded Shockwave dropper download [**] 2
TOTAL 374

Comments

Talk:Suricata-vs-snort/Test-cases/Client-side-attacks