Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reset Counters

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 23 Jan 2003 17:27:29 -0500
At 02:56 PM 1/23/2003 -0600, Bob McDowell wrote:


Bring on the penalty drinks, but I need help.


Drink lots of water before bed and you shouldn't have too bad of a hangover :)
True or False: 'USER overflow' rules are triggered by the same IP passing too many 'USER' commands from the same IP within a specified amount of time.
False, snort rules cannot be time based and must be a stateless packet-match type deal. Thus these rules, nor any other, are based on any type of "n events within n seconds" type logic. Only preprocessors do that kind of thing (ie: spp_portscan).
At first I thought this was how this worked. Testing certainly seemed to prove it out to be so. If this is the case, I need to allow more consecutive attempts before I sent a 'resp' packet.
In researching the rule (specifically the FTP USER overflow rule) I can't find anything that relates to my observation. From looking at the rule, it seems to examine the content of each packet - and not have anything to do with the number of tries.
Correct, the FTP USER overflow rule will trigger if more than 100 bytes of data, containing the string "user", are sent before a response from the server is generated. Because of the stream4 preprocessor, this data may occur in multiple TCP data frames (ie: multiple IP layer packets), but stream4 should flush whenever the server responds with your typical "password required for user xxxxx" type deal. Someone more familiar with the inner workings of stream4 may be able to confirm/deny this behavior.
Also if your running snort prior to the current version (1.9.0), check the release notes to see if any versions fixed bugs in stream4. I know there have been several fixes to that preprocessor over time.
The idea here is to look for a buffer overflow attempt in the user command which happens when someone sends something like:
user xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<insert lots more x's, followed by stack-smash style shell code>
Several old versions of FTP daemon had such overflows, and no user login name I've ever seen has been over 80 characters :) 



Thus, confusion ensues.


Hope that explanation helps
Any help would be greatly appreciated. Also anything written more clearly than the 'How to Write..' that might explain this would be great. Maybe I'm just tired, but it is giving me a headache. 


Bob McDowell
IS Specialist
Cox HealthPlans, LLC
417.269.2848




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: