Snort mailing list archives
snort, nessus and teardrop
From: Svein Erik Søberg <ses () antares no>
Date: Fri, 28 Feb 2003 13:58:36 +0100
Hi! I have used Nessus to send a Teardrop attack. The resulting packets look like this: 14:43:46.659165 192.168.1.19.ntp > 192.168.1.25.netbios-ns: [bad udp cksum b549!] [len=28] v0 unspec strat 0 poll 0 prec 0 dist 0.000000 disp 12544.000000 ref (unspec)@503316480.269531250 [|ntp] (frag 242:36@0+) (ttl 64, len 56) 4500 0038 00f2 2000 4011 d646 c0a8 0113 c0a8 0119 007b 0089 0008 7b5d 0000 0000 0000 0000 3100 0000 0104 0000 1e00 0000 4500 0038 00f2 2000 Apart from the frag2 preprocessor, that I have to admit I know little about, there is also a rule in dos.rules: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242; fragbits:M; reference:cve,CAN-1999-0015; reference:url,www.cert.org/advisories/CA-1997-28.html; reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;) So just in case, I diasbled all preprocessors and ran the tcpdump file again without response. Now, as far as I can tell, the above is a udp packet with id= 0xf2 = 242 and the more frag bit is set. In the conf file the Home_Net variable is set to 192.168.1.25/32 and External_Net to !$Home_Net, so the packet should match the rule. Eventually I commented out all rules, except for one that I made to trigger on any ip traffic between the two addresses above, and it did. When I substituted 'ip' with 'udp', Snort didn't log any of the Nessus generated traffic, but lots of other udp traffic. In addition, using port numbers in the rule failed to catch the teardrop packets both in combination with 'ip' and 'udp'. I have no problems with catching the packets with tcpdump and relevant filters though. Can anyone see any reason why my Snort doesn't even recognize the packets as udp? Oh, and I've already had a few drinks just in case I'm ignoring something b****y obvious. Regards, Svein Erik Søberg Snort v1.9.0 Build 209 on a RH 8.0 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort, nessus and teardrop Svein Erik Søberg (Feb 28)
- Re: snort, nessus and teardrop Erek Adams (Feb 28)
- <Possible follow-ups>
- RE: snort, nessus and teardrop Svein Erik Søberg (Feb 28)