Re: Should snort react this way?

[Chris Green <cmg () uab edu>]

"Ronneil Camara" <ronneilc () remingtonltd com> writes:

> Hi to everyone on the list.
>
> I would just like to confirm if snort should really behave this way. I configured
> snort with flexresp. I added "resp: rst_all" on a rule in web-iis and attack-responses
> rule that is related to cmd.exe and http dir listing.
>
> I attacked my default installation of IIS server (unicode) then I was still able to
> see the dir listings but snort, fortunately send a RST to both parties.
>
> The parameter that I used was scripts/..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\+/s
>
> My question is, why is it that I was still able to see a dir listing of about
> 30%-40% of the complete listing before my internet browser sensed a RST?

Because it is a race condition between the machines talking and snort.
Since the Directory info can fit in a couple packets, its a race to
send the rst before the OS ( that had a head start ).

On a local net, you're going to have a very high "miss" statistic and
the more lag you have between the two end points, the more time you
will have to fire off rsts.

resp is a good try but its not 100% reliable.
-- 
Chris Green <cmg () uab edu>
Don't use a big word where a diminutive one will suffice.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users