IDS mailing list archives
Re: sidestep
From: Jill Tovey <jill.tovey () bigbluedoor com>
Date: 29 Apr 2003 13:28:54 +0100
Okay, Thanks for the responses so far. I am tackling how the RPC attack works first. First of all I send the RPC request in normal mode. This gets detected by snort with the following output: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ TCP TTL:128 TOS:0x0 ID:8585 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0xBE7826F7 Ack: 0x34F8656C Win: 0x4470 TcpLen: 20 80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............ 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ So I then try sidestep in -evade mode. It gets detected by snort anyway, as someone already mentioned, this is probably because sidestep is older than my snort rules. [**] RPC portmap listing [**] 04/29-12:57:58.607580 192.168.0.10:1471 -> 192.168.0.2:111 TCP TTL:128 TOS:0x0 ID:10424 IpLen:20 DgmLen:240 DF ***AP*** Seq: 0x19B53290 Ack: 0xB60B1018 Win: 0x4470 TcpLen: 20 80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............ 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 01 00 00 00 00 01 02 00 00 00 01 ................ 00 00 00 00 01 01 00 00 00 01 86 00 00 00 01 A0 ................ 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................ 00 00 01 02 00 00 00 01 00 00 00 00 01 00 00 00 ................ 00 01 00 00 00 00 01 04 00 00 00 01 00 00 00 00 ................ 01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 ................ 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 ................ 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................ 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 00 ................ 00 01 00 80 00 00 01 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Anyway, as you can see the packet data is very different, but the first 44 bytes are the same, this is probably why snort is detecting the attack. So would anyone like to attempt an explanation as to how this tries to evade snort? Any comments much appreciated, Cheers ------------------------------------------------------------------------------- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Brian (May 06)
- <Possible follow-ups>
- Re: sidestep Randy Taylor (May 04)
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Randy Taylor (May 06)
- Re: sidestep Jill Tovey (May 04)
- RE: sidestep Golomb, Gary (May 04)
- RE: sidestep Jill Tovey (May 04)
- Re: sidestep Judy Novak (May 06)
- Re: sidestep Jill Tovey (May 06)
- Re: sidestep Martin Roesch (May 06)
- RE: sidestep Jill Tovey (May 04)