Snort mailing list archives
RE: flexresp question/help
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Tue, 18 Dec 2001 20:59:08 -0600
Hi Phil, Just would like to know if snort responded based from the data that I've posted. FYI, I'm running snort on a stealth interface and somebody told me that flexresp will still work even on a stealth interface. Again, I edited two rules in web-iis.rules, the cmd.exe and root.exe: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; resp: rst_all; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; sid: 1256; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; resp: rst_all; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) -------------------------------------------------------- Ok. Here is how I executed tcpdump: tcpdump -e -X -vv -i tl0 src net 12.248.0.0/16 -------------------------------------------------------- ....and here is the dump when I tried exploiting a Unicode bug in IIS. 20:38:42.292963 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 62: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: S [tcp sum ok] 1749229470:1749229470(0) win 5840 <mss 1460,nop,nop,sackOK> (ttl 115, id 26048) 0000: 4500 0030 65c0 0000 7306 1eda 0cf8 ff2f E..0eÀ..s..Ú.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9e 0000 0000 AÀuF°ù.PhC...... 0020: 7002 16d0 6ff6 0000 0204 05b4 0101 0402 p..Ðoö.....´.... 20:38:42.310660 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp sum ok] ack 1923749 win 5840 (ttl 115, id 26049) 0000: 4500 0028 65c1 0000 7306 1ee1 0cf8 ff2f E..(eÁ..s..á.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5 AÀuF°ù.PhC....Z¥ 0020: 5010 16d0 41e8 0000 4a64 1f9f 2043 P..ÐAè..Jd.. C 20:38:42.315122 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 126: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: P 0:72(72) ack 1 win 5840 (ttl 115, id 26050) 0000: 4500 0070 65c2 0000 7306 1e98 0cf8 ff2f E..peÂ..s....øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5 AÀuF°ù.PhC....Z¥ 0020: 5018 16d0 1fb4 0000 4745 5420 2f73 6372 P..Ð.´..GET /scr 0030: 6970 7473 2f2e 2e25 3235 3563 2e2e 2532 ipts/..%255c..%2 0040: 3535 6377 696e 6e74 2f73 7973 7465 6d33 55cwinnt/system3 0050: 322f 2/ 20:38:42.337657 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp sum ok] ack 227 win 5615 (ttl 115, id 26051) 0000: 4500 0028 65c3 0000 7306 1edf 0cf8 ff2f E..(eÃ..s..ß.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87 AÀuF°ù.PhC.ç..[. 0020: 5010 15ef 419f 0000 43e2 1fe7 579e P..ïA...Câ.çW. 20:38:42.342767 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: F [tcp sum ok] 72:72(0) ack 227 win 5615 (ttl 115, id 26052) 0000: 4500 0028 65c4 0000 7306 1ede 0cf8 ff2f E..(eÄ..s..Þ.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87 AÀuF°ù.PhC.ç..[. 0020: 5011 15ef 419e 0000 d4fd 1fe7 124f P..ïA...Ôý.ç.O 20:38:42.552086 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081) 0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f E..(VA..þ.£`.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9 AÀuF°ù.PhC....Zé 0020: 5014 0000 5870 0000 0000 0000 0000 P...Xp........ 20:38:42.552268 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081) 0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f E..(VA..þ.£`.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9 AÀuF°ù.PhC....Zé 0020: 5014 0000 5870 0000 0000 0000 0000 P...Xp........ You told me to look for RST and I couldn't see one from the above data. Is there anything that I am missing? Here is how I run my snort, snort -o -q -D -i tl0 -c /etc/snort/snort.conf Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp question/help Ronneil Camara (Dec 18)
- Re: flexresp question/help Phil Wood (Dec 18)
- <Possible follow-ups>
- RE: flexresp question/help Ronneil Camara (Dec 18)
- Re: flexresp question/help Phil Wood (Dec 18)
- RE: flexresp question/help Ronneil Camara (Dec 18)
- RE: flexresp question/help Ronneil Camara (Dec 19)
- RE: flexresp question/help Jyri Hovila (Dec 19)
- RE: flexresp question/help Ronneil Camara (Dec 19)