RE: Snort+flexresp

["Ronneil Camara" <ronneilc () remingtonltd com>]

I understand your point. And it is a really good practice to do that.
I guess, I should have been detailed on my previous responses.
I actually had another machine there that was sniffing. I was running 
tcpdump -X src port 21 or dst port 21.

The string "anonymous" was really clear on the dump.

So, is this a bug on Snort flexresp?

I also noticed that I had snort sent out 3 Rs which disconnected
my ftp session. But the next testing I did, I only saw 2 Rs.


> -----Original Message-----
> From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com]
> Sent: Friday, March 29, 2002 12:26 PM
> To: 'Onie Camara '; Sheahan, Paul (PCLN-NW)
> Cc: 'snort-users () lists sourceforge net '
> Subject: RE: [Snort-users] Snort+flexresp
>
>
> You can never be sure if you are using all uppercase or lowercase. For
> example, I created a rule to alert and rst_all whenever a 
> certain string is
> entered on a web page. Then to test, I went to the web page 
> and entered the
> string. The rule was not triggered. When I went back to look 
> at the trace to
> find out why it was not triggered, I found that even though I 
> entered the
> string in lowercase on the webpage, the traces showed the 
> string as all
> uppercase. I'm not sure why since I entered it in all 
> lowercase. So changing
> my rule to use nocase, I no longer had to worry about that 
> problem again.
> You just never know if the application you are using is going 
> to change case
> on you behind the scenes!
>
> -----Original Message-----
> From: Onie Camara
> To: Sheahan, Paul (PCLN-NW)
> Cc: snort-users () lists sourceforge net
> Sent: 3/28/02 11:48 PM
> Subject: Re: [Snort-users] Snort+flexresp
>
> Ok. I do understand your point. But again, I am still on the testing
> stage.
> I am the only one that does ftp testing.
> And I know if I am using uppercase or lowercase.
> In this case, I am 100% sure that I am using a lowercase "anonymous"
> string.
>
> In the future, I will use nocase. :-)
>
> ----- Original Message -----
> From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
> To: "'Onie Camara '" <neil () restricted dyndns org>; "Sheahan, Paul
> (PCLN-NW)"
> <Paul.Sheahan () priceline com>; "''Bamm Visscher' '" <bamm () satx rr com>
> Cc: <snort-users () lists sourceforge net>
> Sent: Thursday, March 28, 2002 10:44 PM
> Subject: RE: [Snort-users] Snort+flexresp
>
>
> > What I meant is, if you look at your rule below, you are looking for
> the
> > content of "anonymous", but you don't have the nocase 
> keyword entered
> in
> > your rule. So if your FTP client had "anonymous" appear as 
> "Anonymous"
> or
> > "ANONYMOUS", then your rule would fail. In other words, I always try
> and
> use
> > the nocase option, especially when a rule is not working as 
> I expect,
> but
> > nocase makes it fool-proof and helps me rule out the 
> content as being
> the
> > problem....
> >
> > -----Original Message-----
> > From: Onie Camara
> > To: Sheahan, Paul (PCLN-NW); 'Bamm Visscher'
> > Cc: snort-users () lists sourceforge net
> > Sent: 3/28/02 8:27 PM
> > Subject: Re: [Snort-users] Snort+flexresp
> >
> > Hi Paul,
> >
> > Are you talking about the string "anonymous" and snort's case
> > sensitivity?
> > If so, I wasn't using the anonymous string in uppercase. I am very
> sure
> > of
> > that.
> >
> > Or I misunderstood your post?
> >
> > Thanks.
> >
> > ----- Original Message -----
> > From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
> > To: "'Bamm Visscher'" <bamm () satx rr com>; "Onie Camara"
> > <neil () restricted dyndns org>
> > Cc: <snort-users () lists sourceforge net>
> > Sent: Thursday, March 28, 2002 7:13 PM
> > Subject: RE: [Snort-users] Snort+flexresp
> >
> >
> > > Neil,
> > >
> > > I would stick the "nocase" option in your rule in case "anonymous"
> > appears
> > > in upper or mixed case. That has solved a few similar problems for
> > me....
> > > Paul Sheahan
> > > Manager of Information Security
> > > Priceline.com
> > > paul.sheahan () priceline com
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Bamm Visscher [mailto:bamm () satx rr com]
> > > Sent: Thursday, March 28, 2002 7:04 PM
> > > To: Onie Camara
> > > Cc: snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] Snort+flexresp
> > >
> > >
> > > Neil,
> > >
> > > Try logging all the packets associated with your session 
> and look to
> > see
> > > that there are RESETs being sent. It should work.
> > >
> > > Bammkkkk
> > >
> > > On Thu, 2002-03-28 at 09:50, Onie Camara wrote:
> > > > Ok. I created a rule.
> > > >
> > > > alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP 
> access from
> > > > anonymous"; flags:!R ; resp:rst_all;content:"anonymous";
> > > > classtype:not-suspicious; sid:1717; rev:2;)
> > > >
> > > > And here is the log:
> > > >
> > > > [**] [1:1717:2] FTP access from anonymous [**]
> > > > [Classification: Not Suspicious Traffic] [Priority: 3]
> > > > 03/28-09:45:49.271952 192.168.0.112:1062 -> 129.128.5.191:21
> > > > TCP TTL:64 TOS:0x10 ID:60673 IpLen:20 DgmLen:68 DF
> > > > ***AP*** Seq: 0xF518481  Ack: 0x678EB95E  Win: 0x8218  
> TcpLen: 32
> > > > TCP Options (3) => NOP NOP TS: 11758512 213343883
> > > >
> > > > You mentioned that flex-resp is friendly to ssh, ftp, .etc. How
> come
> > my
> > > > session
> > > > wasn't kill by my rule?
> > > >
> > > > What's wrong with my rule? I even tried it with flags: A+, still
> > didn't
> > > > work.
> > > > But I still admin that I am not good on those flags.
> > > >
> > > > Thank you.
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Bamm Visscher" <bamm () satx rr com>
> > > > To: "Ronneil Camara" <ronneilc () remingtonltd com>
> > > > Cc: <snort-users () lists sourceforge net>
> > > > Sent: Wednesday, March 27, 2002 7:06 AM
> > > > Subject: RE: [Snort-users] Snort+flexresp
> > > >
> > > >
> > > > > Neil,
> > > > >
> > > > > There is no way to force flex-resp to be successful against
> HTTP.
> > Most
> > > > > of the time, the source of an HTTP connection sends five
> packets.
> > Two
> > > > > for establishing the session (syn then ack), and two to tear
> down
> > the
> > > > > session (fin/ack and ack). Plus one that contains the
> GET/POST/etc
> > > > > request (usually a push/ack). It is impossible for 
> flex-resp to
> > kill
> > > > > this session before the dest gets the GET/POST/etc, 
> and thus it
> is
> > > > > impossible to create a rule to prevent the server from
> processing
> > the
> > > > > GET/POST/etc request. If for some reason, the GET/POST/etc
> > contains so
> > > > > much data that it is spread across multiple packets, then you
> may
> > have
> > a
> > > > > slim chance at killing the session before the dest 
> processes the
> > request
> > > > > (may the network lag be with you).
> > > > >
> > > > > The dest is going to send as many packets as it takes 
> to return
> > the
> > info
> > > > > requested, but killing the connection at that time is almost
> > pointless
> > > > > since the server has already processed the perps
> request/command.
> > At
> > > > > best you might prevent the perp from seeing all the 
> results of a
> > > > > directory listing.
> > > > >
> > > > > BTW, this is not a snort specific problem. It affect every IDS
> > using
> > > > > tcp-resets to kill connections.
> > > > >
> > > > > Bammkkkk
> > > > >
> > > > >
> > > > > On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:
> > > > > > Hi Bamm,
> > > > > >
> > > > > > I got impressed on how you answered your every post on this
> > thread.
> > > > > > So now, what can you suggest me so that flex-resp will be
> > successful
> > > on
> > > > > > killing connections let say for http?
> > > > > >
> > > > > > Thank you very much.
> > > > > >
> > > > > > Neil
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users