Snort mailing list archives

snort, nessus and teardrop

From: Svein Erik Søberg <ses () antares no>
Date: Fri, 28 Feb 2003 13:58:36 +0100

Hi!

I have used Nessus to send a Teardrop attack. The resulting packets look like this:

14:43:46.659165 192.168.1.19.ntp > 192.168.1.25.netbios-ns:  [bad udp cksum b549!] [len=28] v0 unspec strat 0 poll 0 
prec 0 dist 0.000000 disp 12544.000000 ref (unspec)@503316480.269531250 [|ntp] (frag 242:36@0+) (ttl 64, len 56)
                         4500 0038 00f2 2000 4011 d646 c0a8 0113
                         c0a8 0119 007b 0089 0008 7b5d 0000 0000
                         0000 0000 3100 0000 0104 0000 1e00 0000
                         4500 0038 00f2 2000


Apart from the frag2 preprocessor, that I have to admit I know little about, there is also a rule in dos.rules:

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242; fragbits:M; 
reference:cve,CAN-1999-0015; reference:url,www.cert.org/advisories/CA-1997-28.html; reference:bugtraq,124; 
classtype:attempted-dos; sid:270; rev:2;)


So just in case, I diasbled all preprocessors and ran the tcpdump file again without response.

Now, as far as I can tell, the above is a udp packet with id= 0xf2 = 242 and the more frag bit is set.
In the conf file the Home_Net variable is set to 192.168.1.25/32 and External_Net to !$Home_Net, so the packet should 
match the rule.

Eventually I commented out all rules, except for one that I made to trigger on any ip traffic between the two addresses 
above, and it did.
When I substituted 'ip' with 'udp', Snort didn't log any of the Nessus generated traffic, but lots of other udp traffic.
In addition, using port numbers in the rule failed to catch the teardrop packets both in combination with 'ip' and 
'udp'.

I have no problems with catching the packets with tcpdump and relevant filters though.
Can anyone see any reason why my Snort doesn't even recognize the packets  as udp?

Oh, and I've already had a few drinks just in case I'm ignoring something b****y obvious.

Regards,

Svein Erik Søberg

Snort v1.9.0 Build 209 on a RH 8.0


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort, nessus and teardrop Svein Erik Søberg (Feb 28)
- Re: snort, nessus and teardrop Erek Adams (Feb 28)
- <Possible follow-ups>
- RE: snort, nessus and teardrop Svein Erik Søberg (Feb 28)