Re: snort inline doesn't seem to drop malicious traffic

["Alexander Meyer (spot-media AG)" <meyer () spot-media de>]

On Die, 29 Juli 2003 09:29:07 +0200, Stephan Scholz wrote:

> are you sure you are using the right ruleset ? The rules need to
> be converted from target "alert" to "drop".

i'm pretty sure about that because i took the drop-ruleset that was
published on the honeynet website. the rule in question is this one:

drop tcp $HONEYNET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB trans2open
buffer overflow attempt"; flow:to_server,established; content:"|00|";
offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; depth:5;
content:"|00 14|"; offset:60; depth:2;
byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201;
reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt;
classtype:attempted-admin; sid:2103; rev:2;)

i also did some testing with the test rules that come with the current
snort inline toolkit and they worked fine (except that one replace rule
that should change "com" to "org" in dns traffic but i didn't expect the
replace rules to be perfect anyway).

the strange thing about the netbios rule is that it seems to apply
correctly (the alert shows up in the logs) only the packets aren't
dropped. i'm really getting kind of confused about this.

alexander.

-- 
spot-media AG
Alexander Meyer
Systemadministrator
Lange Reihe 2
20099 Hamburg
Fon:  040-248 28 711
Fax:  040-248 28 880
www.spot-media.de
mailto:meyer () spot-media de

Key ID: FA4FC80C