Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort+flexresp

From: "Onie Camara" <neil () restricted dyndns org>
Date: Tue, 2 Apr 2002 09:52:16 -0600
I do have to agree that flexresp is not ideal to tear tcp connections on web
traffic as http protocol sends 5 packets. But I still don't know, on ftp
proto, my first ftp as anonymous is teared down but not on the succeeding
ones. Might be a bug on flexresp code.

I did a cvs download from sourceforge of snort, 1.9, and also enabled
flexresp, and I am happy with th results. Now, I opened up port 22 for
everyone but I've got a snort rule that does resp: rst_all on that port.
Btw, I also do have pass rule above this rule that I mentioned.

One thing though that I've noticed.
1. You won't take advantage of snort's flexresp on a gateway box if you
would like
    to tear a tcp session on one of your internal host/user. What it will
see is it's own IP address since
    it's doing a NAT. I tried it on the my freebsd ipf + snort, snort
doesn't see my internal ip address.
   I even ran tcpdump, and it's the freebsd's gateway that is being used.
2. I don't know if this has been fix, on OpenBSD 3.0 without IP address, it
will not be able to send tcp
    RESETs.
3. Just a bug that I've found on 1.9. Snort segfaults if the rule was wrong
such as resp: rst_all:
    Take note of the second colon.

Just my 2cents.

Neil
----- Original Message -----
From: "Anton A. Chuvakin" <anton () chuvakin org>
To: "Jeff Nathan" <jeff () snort org>
Cc: <snort-users () lists sourceforge net>
Sent: Tuesday, April 02, 2002 8:41 AM
Subject: Re: [Snort-users] Snort+flexresp



Jeff and others,


Thanks for the packet dumps.  Could you instead store them in pcap
format?

I have exact same problem! Here is the story:
-------------------------
So, for the dump below: "fw" and "anton" are two RedHat i386 7.2 boxes,
"fw"  runs snort 1.8.4 (build 99, from RPMs, with flexresp). I modified
the signature below (for tests) to read (all other configs - default!!):

--------------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; resp: icmp_all,rst_all; nocase;
classtype:web-application-attack; sid:1002; rev:2;)
--------------------

and then use Lynx on "anton" to get cmd.exe (big zeroed file) file from
"fw". And it works fine (see the dump below) - snort produces an alert and
all the packets are sent.

------------------------------------------------------
17:53:43.309995 anton.56796 > fw.http: S 1893212406:1893212406(0) win 5840

<mss 1460,sackOK,timestamp 35455186 0,nop,wscale 0> (DF) [tos 0x10]

17:53:43.310282 fw.http > anton.56796: S 1900591890:1900591890(0) ack

1893212407 win 5792 <mss 1460,sackOK,timestamp 165254566 35455186,nop,wscale
0> (DF)

17:53:43.310321 anton.56796 > fw.http: . ack 1 win 5840 <nop,nop,timestamp

35455186 165254566> (DF) [tos 0x10]

17:53:46.347937 anton.56796 > fw.http: P 1:15(14) ack 1 win 5840

<nop,nop,timestamp 35455490 165254566> (DF) [tos 0x10]

17:53:46.348203 fw.http > anton.56796: . ack 15 win 5792

<nop,nop,timestamp 165254870 35455490> (DF)

17:53:46.349880 fw.http > anton.56796: . 1:1449(1448) ack 15 win 5792

<nop,nop,timestamp 165254870 35455490> (DF)

17:53:46.349897 anton.56796 > fw.http: . ack 1449 win 8688

<nop,nop,timestamp 35455490 165254870> (DF) [tos 0x10]

17:53:46.351116 fw.http > anton.56796: . 1449:2897(1448) ack 15 win 5792

<nop,nop,timestamp 165254870 35455490> (DF)

17:53:46.351165 anton.56796 > fw.http: . ack 2897 win 11584

<nop,nop,timestamp 35455490 165254870> (DF) [tos 0x10]

17:53:46.351610 fw.http > anton.56796: R 1:1(0) ack 15 win 0
17:53:46.351686 fw > anton: icmp: net fw unreachable
17:53:46.351763 fw > anton: icmp: host fw unreachable
17:53:46.351839 fw > anton: icmp: fw tcp port http unreachable
17:53:46.353082 fw.http > anton.56796: P 2897:4345(1448) ack 15 win 5792

<nop,nop,timestamp 165254870 35455490> (DF)

17:53:46.353098 anton.56796 > fw.http: . ack 4345 win 14480

<nop,nop,timestamp 35455491 165254870> (DF) [tos 0x10]

17:53:46.354314 fw.http > anton.56796: . 4345:5793(1448) ack 15 win 5792

<nop,nop,timestamp 165254870 35455490> (DF)

17:53:46.354332 anton.56796 > fw.http: . ack 5793 win 17376

<nop,nop,timestamp 35455491 165254870> (DF) [tos 0x10]

-------------------------------------------------------
However, it has NO effect on the connection whatsoever. Do you have any
insights on that? My guess is that RST arrives late and doesn't cancel the
connection and ICMP's have no effect on the ongoing connections, but I
suspect I am wrong.


I can email binary dumps upon request.

Best,
--
     Anton A. Chuvakin, Ph.D.
     http://www.chuvakin.org
   http://www.info-secure.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: