RE: rules with flow:established not working

["Ed Callahan" <snort () edcallahan com>]

Erek and Paul -

I've monitored traffic to my server with ethereal while accessing the
IIS server on port 80. Here's the traffic summary:

No.  Source        Destination   Protocol Info
 1   64.91.71.16   10.2.2.50     TCP      62608 > http [SYN] Seq=2746578703 Ack=3805839784 Win=25200 Len=0
 2   10.2.2.50     64.91.71.16   TCP      http > 62608 [SYN, ACK] Seq=321111367 Ack=2746578704 Win=17490 Len=0
 3   64.91.71.16   10.2.2.50     TCP      62608 > http [ACK] Seq=2746578704 Ack=321111368 Win=25200 Len=0
 4   64.91.71.16   10.2.2.50     HTTP     GET / HTTP/1.1
 5   10.2.2.50     64.91.71.16   HTTP     HTTP/1.1 200 OK
 6   64.91.71.16   10.2.2.50     TCP      62608 > http [ACK] Seq=2746578992 Ack=321111368 Win=25200 Len=0
 7   64.91.71.16   10.2.2.50     TCP      62608 > http [ACK] Seq=2746578992 Ack=321113085 Win=25200 Len=0
 8   64.91.71.16   10.2.2.50     TCP      62608 > http [RST] Seq=2746578992 Ack=321113085 Win=0 Len=0
 9   64.91.71.16   10.2.2.50     TCP      62609 > http [SYN] Seq=2746688615 Ack=4255134799 Win=25200 Len=0
10   10.2.2.50     64.91.71.16   TCP      http > 62609 [SYN, ACK] Seq=3997423584 Ack=2746688616 Win=17490 Len=0
11   64.91.71.16   10.2.2.50     TCP      62609 > http [ACK] Seq=2746688616 Ack=3997423585 Win=25200 Len=0
12   64.91.71.16   10.2.2.50     HTTP     GET /pagerror.gif HTTP/1.1
13   10.2.2.50     64.91.71.16   HTTP     HTTP/1.1 200 OK
14   64.91.71.16   10.2.2.50     TCP      62609 > http [RST] Seq=2746688954 Ack=3997423585 Win=0 Len=0

Again, this trips the simple rule:

alert tcp any any -> any 80 (msg:"test";)

but not the rule:

alert tcp any any -> any 80 (msg:"test"; flow:established;)

I'm reaching the limit of my comfort-zone here, but packets 1-3 seem
to be the 3-way handshake you and Paul referred to, and I see the ACK
bit set. So it would seem that the problem is not with my NIC/OS or
with Winpcap (if ethereal is using that to read packets?).

I've seen in a Google search other users report just this problem, but
never seen how it was resolved. I know the rules w/ "established"
work for many, probably most, win32 users. But I still wonder if I've
stumbled on a snort bug.

Ed Callahan
snort () edcallahan com


On Fri 24 Oct 203 Erek wrote:
> On Fri, 24 Oct 2003, Schmehl, Paul L wrote:
>
> > > How does snort know the flow is established?
> >
> > Erek can correct me if I'm wrong, but I'm pretty sure it's the three way
> > handshake, and I'm *not* sure that Nikto does that.  I think it may just
> > throw exploit strings at the server and look at the responses.  If so,
> > that would explain why the flow:established rules aren't triggering
> > alerts.
>
> That's exactly it.  For the most part, many of the 'exploit scanners'
> don't really do anything except throw packets with an exploit at a server.
> Flow:established actually looks to make sure there was a full three way
> handshake completed.
>
> I'm going to side with Paul on this...  I'd really guess that either the
> software isn't sending the full packet set, or for some reason you're not
> getting all the traffic.
>
> > I would think that ethereal would show you what's going on.  Just start
> > it up and record the session and then browse through the results.
>
> Using ethereal would be perfect.  The follow session option would be just
> what you need to see what's really going on.
>
> Cheers!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users