Snort mailing list archives
snort sees no fragmented attack
From: Holger.Woehle () arcor net
Date: Fri, 9 Aug 2002 11:28:33 +0100
Hello, why does snort sees the following attack: echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc The attacking station has the interface mtu set to 100! 08/08-18:36:30.670126 0.0.0.0:33112 -> 0.0.0.0:80 TCP TTL:63 TOS:0x0 ID:54348 IpLen:20 DgmLen:100 DF ***A**** Seq: 0xD1AFFB8 Ack: 0xFCCF700E Win: 0x400 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1846269 1840913 47 45 54 20 2F 61 61 61 61 61 61 61 2F 61 61 61 GET /aaaaaaa/aaa 2F 61 61 61 61 61 2F 61 61 61 61 61 61 61 61 2F /aaaaa/aaaaaaaa/ 61 61 61 61 61 61 61 2F 62 63 63 2F 62 69 6E 2F aaaaaaa/bcc/bin/ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/08-18:36:30.670152 0.0.0.0:33112 -> 0.0.0.0:80 TCP TTL:63 TOS:0x0 ID:54349 IpLen:20 DgmLen:55 DF ***AP*** Seq: 0xD1AFFE8 Ack: 0xFCCF700E Win: 0x400 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1846269 1840913 70 73 0A ps. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Snort does not reassemble the packet, and so he does not recognize this attack! Can i adjust the preprozessors or the rule to catch this attack ? alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;) with regards Holger Wöhle ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort sees no fragmented attack Holger . Woehle (Aug 09)
- Re: snort sees no fragmented attack Chris Green (Aug 09)
- Re: snort sees no fragmented attack Andreas Östling (Aug 09)
- Re: snort sees no fragmented attack Matt Kettler (Aug 09)
- Autoblock on Linux Lionel Fairon (Aug 09)
- <Possible follow-ups>
- snort sees no fragmented attack Holger . Woehle (Aug 09)
- Re: snort sees no fragmented attack Holger . Woehle (Aug 12)
- Re: Re: snort sees no fragmented attack Chris Green (Aug 12)
- Re: snort sees no fragmented attack Holger . Woehle (Aug 12)