Snort mailing list archives
Bug/Feature in Snort?
From: "Paul Farley" <Paul.Farley () EventLevel com>
Date: Sun, 10 Mar 2002 18:27:12 -0500
All, If you observe the TTL values for all three of the alerts, the 1st and 3rd packets have a TTL of 115, which is reasonable considering this attack originates from Windows hosts, and often the starting TTL value for Windows hosts is 128. The 2nd packet however has a TTL of 255, which is inconsistent with the other two packets. In addition the sequence numbers are not in order as expected (unless packets arrived out of order and then they would still be close to each other), and further caused me to question the 2nd alert. "Packet #1" Snort Timestamp - 02/16-03:25:26.647724 , Seq # 0xE74AC174 "Packet #2" Snort Timestamp - 02/16-03:25:26.843748 , Seq # 0x74C14AE7 "Packet #3" Snort Timestamp - 02/16-03:25:27.137076 , Seq # 0xE75FC315 "Packet #2" appears to be an ack from my server back to the attacker, so I'm puzzled about why the alert fired on that packet and reported it attacker -> my.net and the TTL for that packet is 127, not 255. Could this be a Snort bug or am I missing something obvious? The Snort Alert: [**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/16-03:25:26.647724 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26092 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0xE74AC174 Ack: 0x4A529D53 Win: 0x4470 TcpLen: 20 [Xref => http://www.cert.org/advisories/CA-2001-19.html] [**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/16-03:25:26.843748 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:112 ***AP*** Seq: 0x74C14AE7 Ack: 0x74C14AE7 Win: 0x4428 TcpLen: 20 [Xref => http://www.cert.org/advisories/CA-2001-19.html] [**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/16-03:25:27.137076 66.76.77.48:4889 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26172 IpLen:20 DgmLen:162 DF ***AP*** Seq: 0xE75FC315 Ack: 0x4A558268 Win: 0x4470 TcpLen: 20 [Xref => http://www.cert.org/advisories/CA-2001-19.html] The snort rule that fired the alert: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:3;) Summary of traffic between the two hosts on port 4832 and port 80(the first two alerts). =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.575601 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26085 IpLen:20 DgmLen:48 DF ******S* Seq: 0xE74AC173 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.577224 MY.NET.9.170:80 -> 66.76.77.48:4832 TCP TTL:127 TOS:0x0 ID:49656 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x4A529D52 Ack: 0xE74AC174 Win: 0x4470 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.636690 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26091 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xE74AC174 Ack: 0x4A529D53 Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.647724 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26092 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0xE74AC174 Ack: 0x4A529D53 Win: 0x4470 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo 74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c 6C 6F 73 65 0D 0A 0D 0A lose.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.843748 MY.NET.9.170:80 -> 66.76.77.48:4832 TCP TTL:127 TOS:0x0 ID:49657 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x4A529D53 Ack: 0xE74AC1BC Win: 0x4428 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.980743 MY.NET.9.170:80 -> 66.76.77.48:4832 TCP TTL:127 TOS:0x0 ID:49658 IpLen:20 DgmLen:228 DF ***AP*** Seq: 0x4A529D53 Ack: 0xE74AC1BC Win: 0x4428 TcpLen: 20 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 53 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F .Server: Microso 66 74 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 ft-IIS/5.0..Date 3A 20 53 61 74 2C 20 31 36 20 46 65 62 20 32 30 : Sat, 16 Feb 20 30 32 20 30 38 3A 32 33 3A 32 39 20 47 4D 54 0D 02 08:23:29 GMT. 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 .Content-Type: a =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.983042 MY.NET.9.170:80 -> 66.76.77.48:4832 TCP TTL:127 TOS:0x0 ID:49659 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0x4A529E0F Ack: 0xE74AC1BC Win: 0x4428 TcpLen: 20 20 44 69 72 65 63 74 6F 72 79 20 6F 66 20 63 3A Directory of c: 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts 0D 0A 0D 0A 30 32 2F 31 30 2F 32 30 30 32 20 20 ....02/10/2002 30 33 3A 30 39 61 20 20 20 20 20 20 3C 44 49 52 03:09a <DIR 3E 20 20 20 20 20 20 20 20 20 20 2E 0D 0A 30 32 > ...02 2F 31 30 2F 32 30 30 32 20 20 30 33 3A 30 39 61 /10/2002 03:09a =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:26.983407 MY.NET.9.170:80 -> 66.76.77.48:4832 TCP TTL:127 TOS:0x0 ID:49660 IpLen:20 DgmLen:420 DF ***AP*** Seq: 0x4A52A3C3 Ack: 0xE74AC1BC Win: 0x4428 TcpLen: 20 30 39 3A 33 32 70 20 20 20 20 20 20 20 20 20 20 09:32p 20 20 20 20 20 20 20 20 20 30 20 54 46 54 50 31 0 TFTP1 37 39 36 0D 0A 30 39 2F 31 39 2F 32 30 30 31 20 796..09/19/2001 20 30 32 3A 31 36 61 20 20 20 20 20 20 20 20 20 02:16a 20 20 20 20 20 20 20 20 20 20 30 20 54 46 54 50 0 TFTP 31 38 36 38 0D 0A 31 30 2F 32 39 2F 32 30 30 31 1868..10/29/2001 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:27.059130 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26157 IpLen:20 DgmLen:40 DF *****R** Seq: 0xE74AC1BC Ack: 0xE759BEB6 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:27.079110 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26162 IpLen:20 DgmLen:40 *****R** Seq: 0xE74AC1BC Ack: 0xE74AC1BC Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 02/16-03:25:27.080710 66.76.77.48:4832 -> MY.NET.9.170:80 TCP TTL:115 TOS:0x0 ID:26163 IpLen:20 DgmLen:40 *****R** Seq: 0xE74AC1BC Ack: 0xE74AC1BC Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ Regards, Paul Farley EventLevel, Inc. Paul.Farley () EventLevel com http://www.eventlevel.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Ryan Russell (Mar 10)
- RE: Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Martin Roesch (Mar 10)
- Re: Bug/Feature in Snort? Ryan Russell (Mar 10)