![snort logo](/images/snort-logo.png)
Snort mailing list archives
snort stateful inspection testing
From: Andrea Barisani <lcars () infis univ trieste it>
Date: Sat, 16 Mar 2002 16:24:26 +0100
Hi to all! I'm implementing and IDS testing feature in my 'Firewall Tester' tool (http://www.infis.univ.trieste.it/~lcars/ftester) and I'm simulating a TCP handshake in order to spoof a real connection to test snort stateful inspection. (the tool is client-server structured) This is what the snort host see: 15:59:30.573688 10.1.7.1.1025 > 192.168.0.1.80: S [tcp sum ok] 11020:11028(8) win 65535 (DF) (ttl 200, id 1, len 48) 15:59:30.585081 192.168.0.1.80 > 10.1.7.1.1025: S [tcp sum ok] 12044:12044(0) ack 11021 win 65535 (DF) [tos 0x10] (ttl 3, id 1, len 40) 15:59:31.611747 10.1.7.1.1025 > 192.168.0.1.80: . [tcp sum ok] ack 12045 win 65535 (DF) (ttl 200, id 2, len 40) 15:59:31.635338 10.1.7.1.1025 > 192.168.0.1.80: P [tcp sum ok] 11029:11036(7) ack 12045 win 65535 (DF) (ttl 200, id 3, len 47) the last packet (.635338) contains the 'ftp.exe' payload, so it's supposed to trigger the 'WEB-MISC ftp attempt' alert. Now without the '-z' options the alert is obviously triggered but with -z est the alert is triggered only the first time I simulate the connection! The second time, with different random sequence numbers, snort is silent, and so on until I restart the process. Where is the problem? It seems to me that seq and ack number are right. Does snort need also the acknowledge for the last PSH before inspecting the packet? Thanks for any help :) Bye ------------------------------------------------------------ INFIS Network Administrator & Security Officer .*. Department of Physics - University of Trieste /V\ lcars () infis univ trieste it - PGP Key 0x8E21FE82 (/ \) ---------------------------------------------------- ( ) "How would you know I'm mad?" said Alice. ^^-^^ "You must be,'said the Cat,'or you wouldn't have come here." ------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort stateful inspection testing Andrea Barisani (Mar 16)
- Ignore portscan from dynamic IP Dan McIntosh (Mar 16)
- Message not available
- Re: [Snort-devel] snort stateful inspection testing Andrea Barisani (Mar 17)
- Re: [Snort-devel] snort stateful inspection testing Michael Scheidell (Mar 21)
- Re: [Snort-devel] snort stateful inspection testing Andrea Barisani (Mar 17)