Re: snort 1.9 doesn't raise alert for httptunneling telnet...

[Erek Adams <erek () theadamsfamily net>]

On Wed, 16 Oct 2002, s.wun wrote:

> I found that snort 1.9 doesn't raise any alert/alarm when using httptunnel
> execute telnet command thru port 8888.
> tcpdump indicate that after logon thru port 8888 (and redirected to port
> 23), running ls command is embedded in the http connection. However snort
> 1.9 doesn't give any warning, is this normal? What other hacking tool I can
> demonstrate that IDS (snort) should raise the alarm when there is embeded
> execution command in the http connection?

First off, what rule/SID do you expect?  A quick grep of the 1.9.0 rules only
lists 5 rules regarding this.  SID's 549, 550, 551, 552, and 1499.  Nothing in
those rules deal with this type of sig, so I'm assuming that you are using a
rule you wrote.

Secondly:  Is the rule for 1.8.x or for 1.9.x?  One thing that you have to
keep in mind is that the 'flags' keyword isn't used as much (if any) in 1.9.
'flags' has sorta been replaced 'flow'.

Have a look at these messages[0] to snort-users.  I listed a few things that
you might need to do and/or consider when trying to solve issues like this.

Hope it helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]     http://marc.theaimsgroup.com/?l=snort-users&m=103470862129440&w=2
        http://marc.theaimsgroup.com/?l=snort-users&m=103464423806953&w=2





-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users