Snort mailing list archives
Re: Snort+flexresp
From: "Onie Camara" <neil () restricted dyndns org>
Date: Tue, 2 Apr 2002 09:52:16 -0600
I do have to agree that flexresp is not ideal to tear tcp connections on web traffic as http protocol sends 5 packets. But I still don't know, on ftp proto, my first ftp as anonymous is teared down but not on the succeeding ones. Might be a bug on flexresp code. I did a cvs download from sourceforge of snort, 1.9, and also enabled flexresp, and I am happy with th results. Now, I opened up port 22 for everyone but I've got a snort rule that does resp: rst_all on that port. Btw, I also do have pass rule above this rule that I mentioned. One thing though that I've noticed. 1. You won't take advantage of snort's flexresp on a gateway box if you would like to tear a tcp session on one of your internal host/user. What it will see is it's own IP address since it's doing a NAT. I tried it on the my freebsd ipf + snort, snort doesn't see my internal ip address. I even ran tcpdump, and it's the freebsd's gateway that is being used. 2. I don't know if this has been fix, on OpenBSD 3.0 without IP address, it will not be able to send tcp RESETs. 3. Just a bug that I've found on 1.9. Snort segfaults if the rule was wrong such as resp: rst_all: Take note of the second colon. Just my 2cents. Neil ----- Original Message ----- From: "Anton A. Chuvakin" <anton () chuvakin org> To: "Jeff Nathan" <jeff () snort org> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, April 02, 2002 8:41 AM Subject: Re: [Snort-users] Snort+flexresp
Jeff and others,Thanks for the packet dumps. Could you instead store them in pcap format?I have exact same problem! Here is the story: ------------------------- So, for the dump below: "fw" and "anton" are two RedHat i386 7.2 boxes, "fw" runs snort 1.8.4 (build 99, from RPMs, with flexresp). I modified the signature below (for tests) to read (all other configs - default!!): -------------------- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; resp: icmp_all,rst_all; nocase; classtype:web-application-attack; sid:1002; rev:2;) -------------------- and then use Lynx on "anton" to get cmd.exe (big zeroed file) file from "fw". And it works fine (see the dump below) - snort produces an alert and all the packets are sent. ------------------------------------------------------ 17:53:43.309995 anton.56796 > fw.http: S 1893212406:1893212406(0) win 5840
<mss 1460,sackOK,timestamp 35455186 0,nop,wscale 0> (DF) [tos 0x10]
17:53:43.310282 fw.http > anton.56796: S 1900591890:1900591890(0) ack
1893212407 win 5792 <mss 1460,sackOK,timestamp 165254566 35455186,nop,wscale 0> (DF)
17:53:43.310321 anton.56796 > fw.http: . ack 1 win 5840 <nop,nop,timestamp
35455186 165254566> (DF) [tos 0x10]
17:53:46.347937 anton.56796 > fw.http: P 1:15(14) ack 1 win 5840
<nop,nop,timestamp 35455490 165254566> (DF) [tos 0x10]
17:53:46.348203 fw.http > anton.56796: . ack 15 win 5792
<nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.349880 fw.http > anton.56796: . 1:1449(1448) ack 15 win 5792
<nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.349897 anton.56796 > fw.http: . ack 1449 win 8688
<nop,nop,timestamp 35455490 165254870> (DF) [tos 0x10]
17:53:46.351116 fw.http > anton.56796: . 1449:2897(1448) ack 15 win 5792
<nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.351165 anton.56796 > fw.http: . ack 2897 win 11584
<nop,nop,timestamp 35455490 165254870> (DF) [tos 0x10]
17:53:46.351610 fw.http > anton.56796: R 1:1(0) ack 15 win 0 17:53:46.351686 fw > anton: icmp: net fw unreachable 17:53:46.351763 fw > anton: icmp: host fw unreachable 17:53:46.351839 fw > anton: icmp: fw tcp port http unreachable 17:53:46.353082 fw.http > anton.56796: P 2897:4345(1448) ack 15 win 5792
<nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.353098 anton.56796 > fw.http: . ack 4345 win 14480
<nop,nop,timestamp 35455491 165254870> (DF) [tos 0x10]
17:53:46.354314 fw.http > anton.56796: . 4345:5793(1448) ack 15 win 5792
<nop,nop,timestamp 165254870 35455490> (DF)
17:53:46.354332 anton.56796 > fw.http: . ack 5793 win 17376
<nop,nop,timestamp 35455491 165254870> (DF) [tos 0x10]
------------------------------------------------------- However, it has NO effect on the connection whatsoever. Do you have any insights on that? My guess is that RST arrives late and doesn't cancel the connection and ICMP's have no effect on the ongoing connections, but I suspect I am wrong. I can email binary dumps upon request. Best, -- Anton A. Chuvakin, Ph.D. http://www.chuvakin.org http://www.info-secure.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Anton A. Chuvakin (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)