Snort mailing list archives
RE: rules with flow:established not working
From: "Ed Callahan" <snort () edcallahan com>
Date: Sat, 25 Oct 2003 13:14:40 -0500
Erek and Paul - I've monitored traffic to my server with ethereal while accessing the IIS server on port 80. Here's the traffic summary: No. Source Destination Protocol Info 1 64.91.71.16 10.2.2.50 TCP 62608 > http [SYN] Seq=2746578703 Ack=3805839784 Win=25200 Len=0 2 10.2.2.50 64.91.71.16 TCP http > 62608 [SYN, ACK] Seq=321111367 Ack=2746578704 Win=17490 Len=0 3 64.91.71.16 10.2.2.50 TCP 62608 > http [ACK] Seq=2746578704 Ack=321111368 Win=25200 Len=0 4 64.91.71.16 10.2.2.50 HTTP GET / HTTP/1.1 5 10.2.2.50 64.91.71.16 HTTP HTTP/1.1 200 OK 6 64.91.71.16 10.2.2.50 TCP 62608 > http [ACK] Seq=2746578992 Ack=321111368 Win=25200 Len=0 7 64.91.71.16 10.2.2.50 TCP 62608 > http [ACK] Seq=2746578992 Ack=321113085 Win=25200 Len=0 8 64.91.71.16 10.2.2.50 TCP 62608 > http [RST] Seq=2746578992 Ack=321113085 Win=0 Len=0 9 64.91.71.16 10.2.2.50 TCP 62609 > http [SYN] Seq=2746688615 Ack=4255134799 Win=25200 Len=0 10 10.2.2.50 64.91.71.16 TCP http > 62609 [SYN, ACK] Seq=3997423584 Ack=2746688616 Win=17490 Len=0 11 64.91.71.16 10.2.2.50 TCP 62609 > http [ACK] Seq=2746688616 Ack=3997423585 Win=25200 Len=0 12 64.91.71.16 10.2.2.50 HTTP GET /pagerror.gif HTTP/1.1 13 10.2.2.50 64.91.71.16 HTTP HTTP/1.1 200 OK 14 64.91.71.16 10.2.2.50 TCP 62609 > http [RST] Seq=2746688954 Ack=3997423585 Win=0 Len=0 Again, this trips the simple rule: alert tcp any any -> any 80 (msg:"test";) but not the rule: alert tcp any any -> any 80 (msg:"test"; flow:established;) I'm reaching the limit of my comfort-zone here, but packets 1-3 seem to be the 3-way handshake you and Paul referred to, and I see the ACK bit set. So it would seem that the problem is not with my NIC/OS or with Winpcap (if ethereal is using that to read packets?). I've seen in a Google search other users report just this problem, but never seen how it was resolved. I know the rules w/ "established" work for many, probably most, win32 users. But I still wonder if I've stumbled on a snort bug. Ed Callahan snort () edcallahan com On Fri 24 Oct 203 Erek wrote:
On Fri, 24 Oct 2003, Schmehl, Paul L wrote:How does snort know the flow is established?Erek can correct me if I'm wrong, but I'm pretty sure it's the three way handshake, and I'm *not* sure that Nikto does that. I think it may just throw exploit strings at the server and look at the responses. If so, that would explain why the flow:established rules aren't triggering alerts.That's exactly it. For the most part, many of the 'exploit scanners' don't really do anything except throw packets with an exploit at a server. Flow:established actually looks to make sure there was a full three way handshake completed. I'm going to side with Paul on this... I'd really guess that either the software isn't sending the full packet set, or for some reason you're not getting all the traffic.I would think that ethereal would show you what's going on. Just start it up and record the session and then browse through the results.Using ethereal would be perfect. The follow session option would be just what you need to see what's really going on. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- Re: rules with flow:established not working Erek Adams (Oct 24)
- <Possible follow-ups>
- RE: rules with flow:established not working Schmehl, Paul L (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 24)
- RE: rules with flow:established not working Erek Adams (Oct 24)
- RE: rules with flow:established not working Ed Callahan (Oct 25)
- RE: rules with flow:established not working Paul Schmehl (Oct 25)