Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort stateful inspection testing

From: Andrea Barisani <lcars () infis univ trieste it>
Date: Sat, 16 Mar 2002 16:24:26 +0100

Hi to all!

I'm implementing and IDS testing feature in my 'Firewall Tester' 
tool (http://www.infis.univ.trieste.it/~lcars/ftester) and I'm 
simulating a TCP handshake in order to spoof a real connection to
test snort stateful inspection. (the tool is client-server structured)

This is what the snort host see:

15:59:30.573688 10.1.7.1.1025 > 192.168.0.1.80: S [tcp sum ok] 11020:11028(8) win 65535 (DF) (ttl 200, id 1, len 48)
15:59:30.585081 192.168.0.1.80 > 10.1.7.1.1025: S [tcp sum ok] 12044:12044(0) ack 11021 win 65535 (DF) [tos 0x10]  (ttl 
3, id 1, len 40)
15:59:31.611747 10.1.7.1.1025 > 192.168.0.1.80: . [tcp sum ok] ack 12045 win 65535 (DF) (ttl 200, id 2, len 40)
15:59:31.635338 10.1.7.1.1025 > 192.168.0.1.80: P [tcp sum ok] 11029:11036(7) ack 12045 win 65535 (DF) (ttl 200, id 3, 
len 47)

the last packet (.635338) contains the 'ftp.exe' payload, so it's 
supposed to trigger the 'WEB-MISC ftp attempt' alert.

Now without the '-z' options the alert is obviously triggered but 
with -z est the alert is triggered only the first time I simulate
the connection! The second time, with different random sequence 
numbers, snort is silent, and so on until I restart the process.

Where is the problem? It seems to me that seq and ack number are right.
Does snort need also the acknowledge for the last PSH before inspecting the
packet?

Thanks for any help :)

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars () infis univ trieste it - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: