Snort mailing list archives
Re: Should snort react this way?
From: Chris Green <cmg () uab edu>
Date: Sat, 05 Jan 2002 00:52:39 -0600
"Ronneil Camara" <ronneilc () remingtonltd com> writes:
Hi to everyone on the list. I would just like to confirm if snort should really behave this way. I configured snort with flexresp. I added "resp: rst_all" on a rule in web-iis and attack-responses rule that is related to cmd.exe and http dir listing. I attacked my default installation of IIS server (unicode) then I was still able to see the dir listings but snort, fortunately send a RST to both parties. The parameter that I used was scripts/..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\+/s My question is, why is it that I was still able to see a dir listing of about 30%-40% of the complete listing before my internet browser sensed a RST?
Because it is a race condition between the machines talking and snort. Since the Directory info can fit in a couple packets, its a race to send the rst before the OS ( that had a head start ). On a local net, you're going to have a very high "miss" statistic and the more lag you have between the two end points, the more time you will have to fire off rsts. resp is a good try but its not 100% reliable. -- Chris Green <cmg () uab edu> Don't use a big word where a diminutive one will suffice. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Should snort react this way? Ronneil Camara (Jan 04)
- Re: Should snort react this way? Chris Green (Jan 04)