Honeypots mailing list archives
Re: snort inline doesn't seem to drop malicious traffic
From: Stephan Scholz <sscholz () astaro com>
Date: Tue, 29 Jul 2003 14:33:43 +0200
Mmh...maybe the rule itself is not "water-proof" enough ? Maybe the first malicious packet gets dropped indeed, but the attack makes it through in a later packet (different TCP offset, etc.). Can you check with tcpdump whether the packet actually makes it through ? Stephan
i'm pretty sure about that because i took the drop-ruleset that was published on the honeynet website. the rule in question is this one: drop tcp $HONEYNET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 14|"; offset:60; depth:2; byte_test:2,>,1024,0,relative,little; reference:cve,CAN-2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:2;) i also did some testing with the test rules that come with the current snort inline toolkit and they worked fine (except that one replace rule that should change "com" to "org" in dns traffic but i didn't expect the replace rules to be perfect anyway). the strange thing about the netbios rule is that it seems to apply correctly (the alert shows up in the logs) only the packets aren't dropped. i'm really getting kind of confused about this.
-- Stephan Scholz <sscholz () astaro com> | Development Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55 Visit Astaro at: - LinuxWorld Expo, booth 1091, San Francisco, Aug. 5-7, 2003 - CeBIT asia, German Pavilion, Pudong, Shanghai, Sep. 18-23, 2003 - Infosecurity Scandinavia, booth C02:38, Stockholm, Sep. 23-25, 2003 - GITEX, German Pavilion, Dubai, Oct. 19-23, 2003 - Systems 2003, hall B2, booth 326, Munich, Oct. 20-24, 2003
Current thread:
- snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 28)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Alexander Meyer (spot-media AG) (Jul 29)
- Re: snort inline doesn't seem to drop malicious traffic Stephan Scholz (Jul 29)