Snort mailing list archives
Re: flexresp question/help
From: Phil Wood <cpw () lanl gov>
Date: Tue, 18 Dec 2001 21:47:48 -0700
On Tue, Dec 18, 2001 at 08:59:08PM -0600, Ronneil Camara wrote:
Hi Phil, Just would like to know if snort responded based from the data that I've posted. FYI, I'm running snort on a stealth interface and somebody told me that flexresp will still work even on a stealth interface.
"It" will work only if your sensor has a real live IP route to the hosts in question. If I remember it right, you picked the option to send a RST in both directions, one to the cracker and one to the server. So, you might want to do a traceroute first to your test cracker and your test server from your sensor and see if the routing from your sensor works. Then, you should be able to say "it" should work. I don't believe your packets would be able to route out your "stealth" port. But, you should be able to see the ones directed to the external net. Again, this all depends on where the sensor is in the scheme of things. Please take the time to draw a picture of the available routes, including any acls that might limit your success. For example, do you have two or more interfaces on your sensor which would affect how your response will travel to its destination. Another point is to remember that many of these probes may well result in a FIN condition, so that the RST is superfluous. I have not gone to the trouble to use this feature at this time. One of the difficulties I would have to overcome is that currently, my sensor has two interfaces, one to a protected net which does not allow spoofing, the other one that does not allow transmit. So, you see trying to send a RST to either one of the members of this senario would fail. Sorry, to bring up more questions and not be able to definitely answer your question.
Again, I edited two rules in web-iis.rules, the cmd.exe and root.exe: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; resp: rst_all; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; sid: 1256; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; resp: rst_all; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) -------------------------------------------------------- Ok. Here is how I executed tcpdump: tcpdump -e -X -vv -i tl0 src net 12.248.0.0/16
Try net 12.248.255 and net 65.192.117 so you can see what happens both ways. In fact limit it to a specific client host if you can. Like: host 12.248.255.47 and net 65.192.117
-------------------------------------------------------- ....and here is the dump when I tried exploiting a Unicode bug in IIS. 20:38:42.292963 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 62: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: S [tcp sum ok] 1749229470:1749229470(0) win 5840 <mss 1460,nop,nop,sackOK> (ttl 115, id 26048) 0000: 4500 0030 65c0 0000 7306 1eda 0cf8 ff2f E..0eÀ..s..Ú.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9e 0000 0000 AÀuF°ù.PhC...... 0020: 7002 16d0 6ff6 0000 0204 05b4 0101 0402 p..Ðoö.....´.... 20:38:42.310660 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp sum ok] ack 1923749 win 5840 (ttl 115, id 26049) 0000: 4500 0028 65c1 0000 7306 1ee1 0cf8 ff2f E..(eÁ..s..á.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5 AÀuF°ù.PhC....Z¥ 0020: 5010 16d0 41e8 0000 4a64 1f9f 2043 P..ÐAè..Jd.. C 20:38:42.315122 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 126: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: P 0:72(72) ack 1 win 5840 (ttl 115, id 26050) 0000: 4500 0070 65c2 0000 7306 1e98 0cf8 ff2f E..peÂ..s....øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5aa5 AÀuF°ù.PhC....Z¥ 0020: 5018 16d0 1fb4 0000 4745 5420 2f73 6372 P..Ð.´..GET /scr 0030: 6970 7473 2f2e 2e25 3235 3563 2e2e 2532 ipts/..%255c..%2 0040: 3535 6377 696e 6e74 2f73 7973 7465 6d33 55cwinnt/system3 0050: 322f 2/ 20:38:42.337657 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: . [tcp sum ok] ack 227 win 5615 (ttl 115, id 26051) 0000: 4500 0028 65c3 0000 7306 1edf 0cf8 ff2f E..(eÃ..s..ß.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87 AÀuF°ù.PhC.ç..[. 0020: 5010 15ef 419f 0000 43e2 1fe7 579e P..ïA...Câ.çW. 20:38:42.342767 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: F [tcp sum ok] 72:72(0) ack 227 win 5615 (ttl 115, id 26052) 0000: 4500 0028 65c4 0000 7306 1ede 0cf8 ff2f E..(eÄ..s..Þ.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1fe7 001d 5b87 AÀuF°ù.PhC.ç..[. 0020: 5011 15ef 419e 0000 d4fd 1fe7 124f P..ïA...Ôý.ç.O
The next two are RST's.
20:38:42.552086 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081) 0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f E..(VA..þ.£`.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9 AÀuF°ù.PhC....Zé 0020: 5014 0000 5870 0000 0000 0000 0000 P...Xp........ 20:38:42.552268 0:60:8:13:40:39 0:50:8b:72:8e:11 ip 60: 12-248-255-47.client.attbi.com.45305 > www.remingtonltd.com.www: R [tcp sum ok] 0:0(0) ack 69 win 0 (ttl 254, id 22081) 0000: 4500 0028 5641 0000 fe06 a360 0cf8 ff2f E..(VA..þ.£`.øÿ/ 0010: 41c0 7546 b0f9 0050 6843 1f9f 001d 5ae9 AÀuF°ù.PhC....Zé 0020: 5014 0000 5870 0000 0000 0000 0000 P...Xp........ You told me to look for RST and I couldn't see one from the above data. Is there anything that I am missing? Here is how I run my snort, snort -o -q -D -i tl0 -c /etc/snort/snort.conf Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp question/help Ronneil Camara (Dec 18)
- Re: flexresp question/help Phil Wood (Dec 18)
- <Possible follow-ups>
- RE: flexresp question/help Ronneil Camara (Dec 18)
- Re: flexresp question/help Phil Wood (Dec 18)
- RE: flexresp question/help Ronneil Camara (Dec 18)
- RE: flexresp question/help Ronneil Camara (Dec 19)
- RE: flexresp question/help Jyri Hovila (Dec 19)
- RE: flexresp question/help Ronneil Camara (Dec 19)