Snort mailing list archives
Re: Snort+flexresp
From: "Onie Camara" <neil () restricted dyndns org>
Date: Thu, 28 Mar 2002 19:27:12 -0600
Hi Paul, Are you talking about the string "anonymous" and snort's case sensitivity? If so, I wasn't using the anonymous string in uppercase. I am very sure of that. Or I misunderstood your post? Thanks. ----- Original Message ----- From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: "'Bamm Visscher'" <bamm () satx rr com>; "Onie Camara" <neil () restricted dyndns org> Cc: <snort-users () lists sourceforge net> Sent: Thursday, March 28, 2002 7:13 PM Subject: RE: [Snort-users] Snort+flexresp
Neil, I would stick the "nocase" option in your rule in case "anonymous" appears in upper or mixed case. That has solved a few similar problems for me.... Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Bamm Visscher [mailto:bamm () satx rr com] Sent: Thursday, March 28, 2002 7:04 PM To: Onie Camara Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort+flexresp Neil, Try logging all the packets associated with your session and look to see that there are RESETs being sent. It should work. Bammkkkk On Thu, 2002-03-28 at 09:50, Onie Camara wrote:Ok. I created a rule. alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from anonymous"; flags:!R ; resp:rst_all;content:"anonymous"; classtype:not-suspicious; sid:1717; rev:2;) And here is the log: [**] [1:1717:2] FTP access from anonymous [**] [Classification: Not Suspicious Traffic] [Priority: 3] 03/28-09:45:49.271952 192.168.0.112:1062 -> 129.128.5.191:21 TCP TTL:64 TOS:0x10 ID:60673 IpLen:20 DgmLen:68 DF ***AP*** Seq: 0xF518481 Ack: 0x678EB95E Win: 0x8218 TcpLen: 32 TCP Options (3) => NOP NOP TS: 11758512 213343883 You mentioned that flex-resp is friendly to ssh, ftp, .etc. How come my session wasn't kill by my rule? What's wrong with my rule? I even tried it with flags: A+, still didn't work. But I still admin that I am not good on those flags. Thank you. ----- Original Message ----- From: "Bamm Visscher" <bamm () satx rr com> To: "Ronneil Camara" <ronneilc () remingtonltd com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, March 27, 2002 7:06 AM Subject: RE: [Snort-users] Snort+flexrespNeil, There is no way to force flex-resp to be successful against HTTP. Most of the time, the source of an HTTP connection sends five packets. Two for establishing the session (syn then ack), and two to tear down the session (fin/ack and ack). Plus one that contains the GET/POST/etc request (usually a push/ack). It is impossible for flex-resp to kill this session before the dest gets the GET/POST/etc, and thus it is impossible to create a rule to prevent the server from processing the GET/POST/etc request. If for some reason, the GET/POST/etc contains so much data that it is spread across multiple packets, then you may have
a
slim chance at killing the session before the dest processes the
request
(may the network lag be with you). The dest is going to send as many packets as it takes to return the
info
requested, but killing the connection at that time is almost pointless since the server has already processed the perps request/command. At best you might prevent the perp from seeing all the results of a directory listing. BTW, this is not a snort specific problem. It affect every IDS using tcp-resets to kill connections. Bammkkkk On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:Hi Bamm, I got impressed on how you answered your every post on this thread. So now, what can you suggest me so that flex-resp will be successfulonkilling connections let say for http? Thank you very much. Neil_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort+flexresp, (continued)
- RE: Snort+flexresp Ronneil Camara (Mar 26)
- Re: Snort+flexresp Bamm Visscher (Mar 26)
- Re: Snort+flexresp Jeff Nathan (Mar 27)
- RE: Snort+flexresp Bamm Visscher (Mar 27)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)