Re: snort inline doesn't seem to drop malicious traffic

[Stephan Scholz <sscholz () astaro com>]

Mmh...maybe the rule itself is not "water-proof" enough ?
Maybe the first malicious packet gets dropped indeed, but the attack
makes it through in a later packet (different TCP offset, etc.).
Can you check with tcpdump whether the packet actually makes
it through ?

Stephan

> i'm pretty sure about that because i took the drop-ruleset that was
> published on the honeynet website. the rule in question is this one:
>
> drop tcp $HONEYNET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB trans2open
> buffer overflow attempt"; flow:to_server,established; content:"|00|";
> offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; depth:5;
> content:"|00 14|"; offset:60; depth:2;
> byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201;
> reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt;
> classtype:attempted-admin; sid:2103; rev:2;)
>
> i also did some testing with the test rules that come with the current
> snort inline toolkit and they worked fine (except that one replace rule
> that should change "com" to "org" in dns traffic but i didn't expect the
> replace rules to be perfect anyway).
>
> the strange thing about the netbios rule is that it seems to apply
> correctly (the alert shows up in the logs) only the packets aren't
> dropped. i'm really getting kind of confused about this.


--
Stephan Scholz <sscholz () astaro com> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Visit Astaro at:
- LinuxWorld Expo, booth 1091, San Francisco, Aug. 5-7, 2003
- CeBIT asia, German Pavilion, Pudong, Shanghai, Sep. 18-23, 2003
- Infosecurity Scandinavia, booth C02:38, Stockholm, Sep. 23-25, 2003
- GITEX, German Pavilion, Dubai, Oct. 19-23, 2003
- Systems 2003, hall B2, booth 326, Munich, Oct. 20-24, 2003