snort sees no fragmented attack

[Holger.Woehle () arcor net]

Hello,
why does snort sees the following attack:

echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc

The attacking station has the interface mtu set to 100!

08/08-18:36:30.670126 0.0.0.0:33112 -> 0.0.0.0:80
TCP TTL:63 TOS:0x0 ID:54348 IpLen:20 DgmLen:100 DF
***A**** Seq: 0xD1AFFB8  Ack: 0xFCCF700E  Win: 0x400  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1846269 1840913
47 45 54 20 2F 61 61 61 61 61 61 61 2F 61 61 61  GET /aaaaaaa/aaa
2F 61 61 61 61 61 2F 61 61 61 61 61 61 61 61 2F  /aaaaa/aaaaaaaa/
61 61 61 61 61 61 61 2F 62 63 63 2F 62 69 6E 2F  aaaaaaa/bcc/bin/

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/08-18:36:30.670152 0.0.0.0:33112 -> 0.0.0.0:80
TCP TTL:63 TOS:0x0 ID:54349 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0xD1AFFE8  Ack: 0xFCCF700E  Win: 0x400  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1846269 1840913
70 73 0A                                         ps.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Snort does not reassemble the packet, and so he does not recognize this attack!
Can i adjust the preprozessors or the rule to catch this attack ?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps
command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328;
classtype:web-application-attack; rev:4;)


with regards
Holger Wöhle




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users