Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Some alerts look like aggregated TCP sessions...

From: Chris Green <cmg () sourcefire com>
Date: Tue, 27 Aug 2002 21:20:52 -0400
Jason Haar <Jason.Haar () trimble co nz> writes:


I've noticed a certain class of false positives for some time, but have just
realised what was wrong with them.

I'm getting "buffer overflow" class alerts that actually look like they are
several packets in one!


This is a stream of packets and an artifact of how stream reassembly
is done.



e.g.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
attempt"; flags:A+; dsize:>100; content:"USER "; nocase;
reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:4;)


This has been changed in the 1.9 series.  Now, a dsize check
implicitly means it refers to a REAL packet matching this size.


..and a *packet* (as logged in the MySQL DB - not seen live) that triggers
it...

USER myname..PASS xxyy11..PWD..CWD /pub..PWD..CWD incoming..TYPE I..PORT 10,0,1,2

Now: everywhere there's a ".." is just the SQL ints way of expressing "CRLF"
pairs, but from my reckoning of how FTP works, the above log is actually 8
separate packets - not one! Also I note that there's no reply traffic in
there - just the sent traffic...

Any ideas? Either snort is doing something weird, or someone's running some
form of streamed FTP client that pipelines several commands into one
packet..?


Thats the snort stream reassembler.

If you are logging to pcap, it will also log the REAL packets to the
log.tcpdump

Cheers,
Chris
-- 
Chris Green <cmg () sourcefire com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: