Snort mailing list archives
Re: snort 1.9 doesn't raise alert for httptunneling telnet...
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 16 Oct 2002 01:43:06 -0700 (PDT)
On Wed, 16 Oct 2002, s.wun wrote:
I found that snort 1.9 doesn't raise any alert/alarm when using httptunnel execute telnet command thru port 8888. tcpdump indicate that after logon thru port 8888 (and redirected to port 23), running ls command is embedded in the http connection. However snort 1.9 doesn't give any warning, is this normal? What other hacking tool I can demonstrate that IDS (snort) should raise the alarm when there is embeded execution command in the http connection?
First off, what rule/SID do you expect? A quick grep of the 1.9.0 rules only lists 5 rules regarding this. SID's 549, 550, 551, 552, and 1499. Nothing in those rules deal with this type of sig, so I'm assuming that you are using a rule you wrote. Secondly: Is the rule for 1.8.x or for 1.9.x? One thing that you have to keep in mind is that the 'flags' keyword isn't used as much (if any) in 1.9. 'flags' has sorta been replaced 'flow'. Have a look at these messages[0] to snort-users. I listed a few things that you might need to do and/or consider when trying to solve issues like this. Hope it helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://marc.theaimsgroup.com/?l=snort-users&m=103470862129440&w=2 http://marc.theaimsgroup.com/?l=snort-users&m=103464423806953&w=2 ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor and false positives Ben Keepper (Oct 15)
- Re: Portscan preprocessor and false positives Alberto Gonzalez (Oct 15)
- Re: Portscan preprocessor and false positives Erek Adams (Oct 15)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)
- Re: snort 1.9 doesn't raise alert for httptunneling telnet... Erek Adams (Oct 16)
- Re: Portscan preprocessor and false positives Ben Keepper (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 17)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)