Snort mailing list archives
Catching Snort DOS
From: João Mota <joao () 3gnt net>
Date: Fri, 30 Sep 2005 15:15:32 +0100
Hello,I was trying to write a rule to match the exploit code that targets the vulnerability discribed in:
http://www.snort.org/pub-bin/snortnews.cgi#58 (exploit at http://www.frsirt.com/exploits/20050912.snortsackdos.c.php)I can't seem to do it becouse the packets aren't "seen" by snort. I've tried the 2.3.3 (Build 14) and 2.4.2 (build 25) versions of snort with the same result. I'm guessing that the bug is still there and leads to the discarding of the packet (doesn't show as discarded in the snort exit status though).
But isn't snort suppose to sniff all the packets, including corrupt ones? Can anyone else confirm this, or am I doing something wrong?I'm running ethereal in the same machine and the packets are shown (default src ip = 200.31.33.70) and the rule:
alert tcp 200.31.33.70 any -> any any (msg: "whatever";) isn't triggered. Even tried using ip for protocol and still no alert.This rule isn't suppose to catch the exploit, it's just a test I've used to see if the exploit packets were beeing tested. Even tried "any any -> any any" and browsed the results and no exploit packets were logged.
Any clues/hints? Thanks, João ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Catching Snort DOS João Mota (Oct 03)