Snort mailing list archives
RE: Snort+flexresp
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Sat, 30 Mar 2002 00:13:26 -0600
I understand your point. And it is a really good practice to do that. I guess, I should have been detailed on my previous responses. I actually had another machine there that was sniffing. I was running tcpdump -X src port 21 or dst port 21. The string "anonymous" was really clear on the dump. So, is this a bug on Snort flexresp? I also noticed that I had snort sent out 3 Rs which disconnected my ftp session. But the next testing I did, I only saw 2 Rs.
-----Original Message----- From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] Sent: Friday, March 29, 2002 12:26 PM To: 'Onie Camara '; Sheahan, Paul (PCLN-NW) Cc: 'snort-users () lists sourceforge net ' Subject: RE: [Snort-users] Snort+flexresp You can never be sure if you are using all uppercase or lowercase. For example, I created a rule to alert and rst_all whenever a certain string is entered on a web page. Then to test, I went to the web page and entered the string. The rule was not triggered. When I went back to look at the trace to find out why it was not triggered, I found that even though I entered the string in lowercase on the webpage, the traces showed the string as all uppercase. I'm not sure why since I entered it in all lowercase. So changing my rule to use nocase, I no longer had to worry about that problem again. You just never know if the application you are using is going to change case on you behind the scenes! -----Original Message----- From: Onie Camara To: Sheahan, Paul (PCLN-NW) Cc: snort-users () lists sourceforge net Sent: 3/28/02 11:48 PM Subject: Re: [Snort-users] Snort+flexresp Ok. I do understand your point. But again, I am still on the testing stage. I am the only one that does ftp testing. And I know if I am using uppercase or lowercase. In this case, I am 100% sure that I am using a lowercase "anonymous" string. In the future, I will use nocase. :-) ----- Original Message ----- From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: "'Onie Camara '" <neil () restricted dyndns org>; "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>; "''Bamm Visscher' '" <bamm () satx rr com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, March 28, 2002 10:44 PM Subject: RE: [Snort-users] Snort+flexrespWhat I meant is, if you look at your rule below, you are looking forthecontent of "anonymous", but you don't have the nocasekeyword entered inyour rule. So if your FTP client had "anonymous" appear as"Anonymous" or"ANONYMOUS", then your rule would fail. In other words, I always tryand usethe nocase option, especially when a rule is not working asI expect, butnocase makes it fool-proof and helps me rule out thecontent as being theproblem.... -----Original Message----- From: Onie Camara To: Sheahan, Paul (PCLN-NW); 'Bamm Visscher' Cc: snort-users () lists sourceforge net Sent: 3/28/02 8:27 PM Subject: Re: [Snort-users] Snort+flexresp Hi Paul, Are you talking about the string "anonymous" and snort's case sensitivity? If so, I wasn't using the anonymous string in uppercase. I am verysureof that. Or I misunderstood your post? Thanks. ----- Original Message ----- From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: "'Bamm Visscher'" <bamm () satx rr com>; "Onie Camara" <neil () restricted dyndns org> Cc: <snort-users () lists sourceforge net> Sent: Thursday, March 28, 2002 7:13 PM Subject: RE: [Snort-users] Snort+flexrespNeil, I would stick the "nocase" option in your rule in case "anonymous"appearsin upper or mixed case. That has solved a few similar problems forme....Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Bamm Visscher [mailto:bamm () satx rr com] Sent: Thursday, March 28, 2002 7:04 PM To: Onie Camara Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort+flexresp Neil, Try logging all the packets associated with your sessionand look toseethat there are RESETs being sent. It should work. Bammkkkk On Thu, 2002-03-28 at 09:50, Onie Camara wrote:Ok. I created a rule. alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTPaccess fromanonymous"; flags:!R ; resp:rst_all;content:"anonymous"; classtype:not-suspicious; sid:1717; rev:2;) And here is the log: [**] [1:1717:2] FTP access from anonymous [**] [Classification: Not Suspicious Traffic] [Priority: 3] 03/28-09:45:49.271952 192.168.0.112:1062 -> 129.128.5.191:21 TCP TTL:64 TOS:0x10 ID:60673 IpLen:20 DgmLen:68 DF ***AP*** Seq: 0xF518481 Ack: 0x678EB95E Win: 0x8218TcpLen: 32TCP Options (3) => NOP NOP TS: 11758512 213343883 You mentioned that flex-resp is friendly to ssh, ftp, .etc. Howcomemysession wasn't kill by my rule? What's wrong with my rule? I even tried it with flags: A+, stilldidn'twork. But I still admin that I am not good on those flags. Thank you. ----- Original Message ----- From: "Bamm Visscher" <bamm () satx rr com> To: "Ronneil Camara" <ronneilc () remingtonltd com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, March 27, 2002 7:06 AM Subject: RE: [Snort-users] Snort+flexrespNeil, There is no way to force flex-resp to be successful againstHTTP.Mostof the time, the source of an HTTP connection sends fivepackets.Twofor establishing the session (syn then ack), and two to teardownthesession (fin/ack and ack). Plus one that contains theGET/POST/etcrequest (usually a push/ack). It is impossible forflex-resp tokillthis session before the dest gets the GET/POST/etc,and thus it isimpossible to create a rule to prevent the server fromprocessingtheGET/POST/etc request. If for some reason, the GET/POST/etccontains somuch data that it is spread across multiple packets, then youmayhave aslim chance at killing the session before the destprocesses therequest(may the network lag be with you). The dest is going to send as many packets as it takesto returnthe inforequested, but killing the connection at that time is almostpointlesssince the server has already processed the perpsrequest/command.Atbest you might prevent the perp from seeing all theresults of adirectory listing. BTW, this is not a snort specific problem. It affect every IDSusingtcp-resets to kill connections. Bammkkkk On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:Hi Bamm, I got impressed on how you answered your every post on thisthread.So now, what can you suggest me so that flex-resp will besuccessfulonkilling connections let say for http? Thank you very much. Neil_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort+flexresp, (continued)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)