Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: flexresp question/help

From: Phil Wood <cpw () lanl gov>
Date: Tue, 18 Dec 2001 21:47:48 -0700
On Tue, Dec 18, 2001 at 08:59:08PM -0600, Ronneil Camara wrote:

Hi Phil,

Just would like to know if snort responded based from the data that I've
posted. FYI, I'm running snort on a stealth interface and somebody told
me
that flexresp will still work even on a stealth interface.

"It" will work only if your sensor has a real live IP route to the hosts
in question.  If I remember it right, you picked the option to send a RST
in both directions, one to the cracker and one to the server.  So, you
might want to do a traceroute first to your test cracker and your test
server from your sensor and see if the routing from your sensor works.
Then, you should be able to say "it" should work.  I don't believe your
packets would be able to route out your "stealth" port.  But, you should
be able to see the ones directed to the external net.  Again, this all
depends on where the sensor is in the scheme of things.

Please take the time to draw a picture of the available routes, including
any acls that might limit your success.  For example, do you have two
or more interfaces on your sensor which would affect how your response
will travel to its destination.

Another point is to remember that many of these probes may well result in
a FIN condition, so that the RST is superfluous.

I have not gone to the trouble to use this feature at this time.  One
of the difficulties I would have to overcome is that currently, my sensor
has two interfaces, one to a protected net which does not allow spoofing,
the other one that does not allow transmit.  So, you see trying to send
a RST to either one of the members of this senario would fail.

Sorry, to bring up more questions and not be able to definitely answer
your question.



Again, I edited two rules in web-iis.rules, the cmd.exe and root.exe:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; resp: rst_all;
uricontent:"scripts/root.exe?"; nocase;
classtype:web-application-attack; sid: 1256; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; resp: rst_all; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002; rev:2;)
--------------------------------------------------------
Ok. Here is how I executed tcpdump:
tcpdump -e -X -vv -i tl0 src net 12.248.0.0/16


Try net 12.248.255 and net 65.192.117 so you can see what happens both
ways.  In fact limit it to a specific client host if you can.   Like:

  host 12.248.255.47 and net 65.192.117


--------------------------------------------------------
....and here is the dump when I tried exploiting a Unicode bug in IIS.

20:38:42.292963 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 62:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: S [tcp
sum ok] 1749229470:1749229470(0) win 5840 <mss 1460,nop,nop,sackOK> (ttl
115, id 26048)
  0000: 4500 0030 65c0 0000 7306 1eda 0cf8 ff2f  E..0eÀ..s..Ú.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9e 0000 0000  AÀuF°ù.PhC......
  0020: 7002 16d0 6ff6 0000 0204 05b4 0101 0402  p..Ðoö.....´....

20:38:42.310660 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp
sum ok] ack 1923749 win 5840 (ttl 115, id 26049)
  0000: 4500 0028 65c1 0000 7306 1ee1 0cf8 ff2f  E..(eÁ..s..á.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5  AÀuF°ù.PhC....Z¥
  0020: 5010 16d0 41e8 0000 4a64 1f9f 2043       P..ÐAè..Jd.. C

20:38:42.315122 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 126:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: P
0:72(72) ack 1 win 5840 (ttl 115, id 26050)
  0000: 4500 0070 65c2 0000 7306 1e98 0cf8 ff2f  E..peÂ..s....øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5  AÀuF°ù.PhC....Z¥
  0020: 5018 16d0 1fb4 0000 4745 5420 2f73 6372  P..Ð.´..GET /scr
  0030: 6970 7473 2f2e 2e25 3235 3563 2e2e 2532  ipts/..%255c..%2
  0040: 3535 6377 696e 6e74 2f73 7973 7465 6d33  55cwinnt/system3
  0050: 322f                                     2/

20:38:42.337657 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp
sum ok] ack 227 win 5615 (ttl 115, id 26051)
  0000: 4500 0028 65c3 0000 7306 1edf 0cf8 ff2f  E..(eÃ..s..ß.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87  AÀuF°ù.PhC.ç..[.
  0020: 5010 15ef 419f 0000 43e2 1fe7 579e       P..ïA...Câ.çW.

20:38:42.342767 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: F [tcp
sum ok] 72:72(0) ack 227 win 5615 (ttl 115, id 26052)
  0000: 4500 0028 65c4 0000 7306 1ede 0cf8 ff2f  E..(eÄ..s..Þ.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87  AÀuF°ù.PhC.ç..[.
  0020: 5011 15ef 419e 0000 d4fd 1fe7 124f       P..ïA...Ôý.ç.O



The next two are RST's.


20:38:42.552086 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp
sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081)
  0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f  E..(VA..þ.£`.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9  AÀuF°ù.PhC....Zé
  0020: 5014 0000 5870 0000 0000 0000 0000       P...Xp........

20:38:42.552268 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60:
12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp
sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081)
  0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f  E..(VA..þ.£`.øÿ/
  0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9  AÀuF°ù.PhC....Zé
  0020: 5014 0000 5870 0000 0000 0000 0000       P...Xp........

You told me to look for RST and I couldn't see one from the above data.
Is there anything that I am missing?
Here is how I run my snort, snort -o -q -D -i tl0 -c
/etc/snort/snort.conf 

Thanks.

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: