Snort mailing list archives

Bug/Feature in Snort?

From: "Paul Farley" <Paul.Farley () EventLevel com>
Date: Sun, 10 Mar 2002 18:27:12 -0500
All,  

If you observe the TTL values for all three of the alerts, the 1st and
3rd packets have a TTL of  115, which is reasonable considering this
attack originates from Windows hosts, and often the starting TTL value
for Windows hosts is 128.  The 2nd packet however has a TTL of 255,
which is inconsistent with the other two packets.  In addition the
sequence numbers are not in order as expected (unless packets arrived
out of order and then they would still be close to each other), and
further caused me to question the 2nd alert.

"Packet #1" Snort Timestamp - 02/16-03:25:26.647724 , Seq # 0xE74AC174
"Packet #2" Snort Timestamp - 02/16-03:25:26.843748 , Seq # 0x74C14AE7
"Packet #3" Snort Timestamp - 02/16-03:25:27.137076 , Seq # 0xE75FC315

"Packet #2" appears to be an ack from my server back to the attacker, so
I'm puzzled about why the alert fired on that packet and reported it
attacker -> my.net and the TTL for that packet is 127, not 255.

Could this be a Snort bug or am I missing something obvious?

The Snort Alert:

[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/16-03:25:26.647724 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26092 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xE74AC174  Ack: 0x4A529D53  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/16-03:25:26.843748 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:112
***AP*** Seq: 0x74C14AE7  Ack: 0x74C14AE7  Win: 0x4428  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/16-03:25:27.137076 66.76.77.48:4889 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26172 IpLen:20 DgmLen:162 DF
***AP*** Seq: 0xE75FC315  Ack: 0x4A558268  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]


The snort rule that fired the alert:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase;
classtype:web-application-attack;
reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:3;)

Summary of traffic between the two hosts on port 4832 and port 80(the
first two alerts).

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
02/16-03:25:26.575601 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26085 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE74AC173  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:26.577224 MY.NET.9.170:80 -> 66.76.77.48:4832
TCP TTL:127 TOS:0x0 ID:49656 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x4A529D52  Ack: 0xE74AC174  Win: 0x4470  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:26.636690 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26091 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xE74AC174  Ack: 0x4A529D53  Win: 0x4470  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:26.647724 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26092 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xE74AC174  Ack: 0x4A529D53  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F  GET /scripts/roo
74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54  t.exe?/c+dir HTT
50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77  P/1.0..Host: www
0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63  ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A                          lose....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:26.843748 MY.NET.9.170:80 -> 66.76.77.48:4832
TCP TTL:127 TOS:0x0 ID:49657 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x4A529D53  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:26.980743 MY.NET.9.170:80 -> 66.76.77.48:4832
TCP TTL:127 TOS:0x0 ID:49658 IpLen:20 DgmLen:228 DF
***AP*** Seq: 0x4A529D53  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 53 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F  .Server: Microso
66 74 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65  ft-IIS/5.0..Date
3A 20 53 61 74 2C 20 31 36 20 46 65 62 20 32 30  : Sat, 16 Feb 20
30 32 20 30 38 3A 32 33 3A 32 39 20 47 4D 54 0D  02 08:23:29 GMT.
0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61  .Content-Type: a

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:26.983042 MY.NET.9.170:80 -> 66.76.77.48:4832
TCP TTL:127 TOS:0x0 ID:49659 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x4A529E0F  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20
20 44 69 72 65 63 74 6F 72 79 20 6F 66 20 63 3A   Directory of c:
5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73  \inetpub\scripts
0D 0A 0D 0A 30 32 2F 31 30 2F 32 30 30 32 20 20  ....02/10/2002
30 33 3A 30 39 61 20 20 20 20 20 20 3C 44 49 52  03:09a      <DIR
3E 20 20 20 20 20 20 20 20 20 20 2E 0D 0A 30 32  >          ...02
2F 31 30 2F 32 30 30 32 20 20 30 33 3A 30 39 61  /10/2002  03:09a

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:26.983407 MY.NET.9.170:80 -> 66.76.77.48:4832
TCP TTL:127 TOS:0x0 ID:49660 IpLen:20 DgmLen:420 DF
***AP*** Seq: 0x4A52A3C3  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20
30 39 3A 33 32 70 20 20 20 20 20 20 20 20 20 20  09:32p
20 20 20 20 20 20 20 20 20 30 20 54 46 54 50 31           0 TFTP1
37 39 36 0D 0A 30 39 2F 31 39 2F 32 30 30 31 20  796..09/19/2001
20 30 32 3A 31 36 61 20 20 20 20 20 20 20 20 20   02:16a
20 20 20 20 20 20 20 20 20 20 30 20 54 46 54 50            0 TFTP
31 38 36 38 0D 0A 31 30 2F 32 39 2F 32 30 30 31  1868..10/29/2001

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:27.059130 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26157 IpLen:20 DgmLen:40 DF
*****R** Seq: 0xE74AC1BC  Ack: 0xE759BEB6  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:27.079110 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26162 IpLen:20 DgmLen:40
*****R** Seq: 0xE74AC1BC  Ack: 0xE74AC1BC  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

02/16-03:25:27.080710 66.76.77.48:4832 -> MY.NET.9.170:80
TCP TTL:115 TOS:0x0 ID:26163 IpLen:20 DgmLen:40
*****R** Seq: 0xE74AC1BC  Ack: 0xE74AC1BC  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+


Regards,

Paul Farley
EventLevel, Inc.
Paul.Farley () EventLevel com
http://www.eventlevel.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Ryan Russell (Mar 10)
  - RE: Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Martin Roesch (Mar 10)