Snort mailing list archives

RE: flexresp question/help

From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Tue, 18 Dec 2001 20:59:08 -0600

Hi Phil,

Just would like to know if snort responded based from the data that I've
posted. FYI, I'm running snort on a stealth interface and somebody told
me
that flexresp will still work even on a stealth interface.

Again, I edited two rules in web-iis.rules, the cmd.exe and root.exe:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; resp: rst_all;
uricontent:"scripts/root.exe?"; nocase;
classtype:web-application-attack; sid: 1256; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; resp: rst_all; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002; rev:2;)
--------------------------------------------------------
Ok. Here is how I executed tcpdump:
tcpdump -e -X -vv -i tl0 src net 12.248.0.0/16
--------------------------------------------------------
....and here is the dump when I tried exploiting a Unicode bug in IIS.

20:38:42.292963 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 62:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: S [tcp
sum ok] 1749229470:1749229470(0) win 5840 <mss 1460,nop,nop,sackOK> (ttl
115, id 26048)
  0000: 4500 0030 65c0 0000 7306 1eda 0cf8 ff2f  E..0eÀ..s..Ú.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9e 0000 0000  AÀuF°ù.PhC......
  0020: 7002 16d0 6ff6 0000 0204 05b4 0101 0402  p..Ðoö.....´....

20:38:42.310660 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp
sum ok] ack 1923749 win 5840 (ttl 115, id 26049)
  0000: 4500 0028 65c1 0000 7306 1ee1 0cf8 ff2f  E..(eÁ..s..á.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5  AÀuF°ù.PhC....Z¥
  0020: 5010 16d0 41e8 0000 4a64 1f9f 2043       P..ÐAè..Jd.. C

20:38:42.315122 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 126:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: P
0:72(72) ack 1 win 5840 (ttl 115, id 26050)
  0000: 4500 0070 65c2 0000 7306 1e98 0cf8 ff2f  E..peÂ..s....øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5  AÀuF°ù.PhC....Z¥
  0020: 5018 16d0 1fb4 0000 4745 5420 2f73 6372  P..Ð.´..GET /scr
  0030: 6970 7473 2f2e 2e25 3235 3563 2e2e 2532  ipts/..%255c..%2
  0040: 3535 6377 696e 6e74 2f73 7973 7465 6d33  55cwinnt/system3
  0050: 322f                                     2/

20:38:42.337657 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp
sum ok] ack 227 win 5615 (ttl 115, id 26051)
  0000: 4500 0028 65c3 0000 7306 1edf 0cf8 ff2f  E..(eÃ..s..ß.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87  AÀuF°ù.PhC.ç..[.
  0020: 5010 15ef 419f 0000 43e2 1fe7 579e       P..ïA...Câ.çW.

20:38:42.342767 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: F [tcp
sum ok] 72:72(0) ack 227 win 5615 (ttl 115, id 26052)
  0000: 4500 0028 65c4 0000 7306 1ede 0cf8 ff2f  E..(eÄ..s..Þ.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87  AÀuF°ù.PhC.ç..[.
  0020: 5011 15ef 419e 0000 d4fd 1fe7 124f       P..ïA...Ôý.ç.O

20:38:42.552086 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp
sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081)
  0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f  E..(VA..þ.£`.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9  AÀuF°ù.PhC....Zé
  0020: 5014 0000 5870 0000 0000 0000 0000       P...Xp........

20:38:42.552268 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp
sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081)
  0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f  E..(VA..þ.£`.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9  AÀuF°ù.PhC....Zé
  0020: 5014 0000 5870 0000 0000 0000 0000       P...Xp........

You told me to look for RST and I couldn't see one from the above data.
Is there anything that I am missing?
Here is how I run my snort, snort -o -q -D -i tl0 -c
/etc/snort/snort.conf 

Thanks.

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

flexresp question/help Ronneil Camara (Dec 18)
- Re: flexresp question/help Phil Wood (Dec 18)
- <Possible follow-ups>
- RE: flexresp question/help Ronneil Camara (Dec 18)
  - Re: flexresp question/help Phil Wood (Dec 18)
- RE: flexresp question/help Ronneil Camara (Dec 18)
- RE: flexresp question/help Ronneil Camara (Dec 19)
  - RE: flexresp question/help Jyri Hovila (Dec 19)
- RE: flexresp question/help Ronneil Camara (Dec 19)