Snort mailing list archives
Antwort: Re: snort sees no fragmented attack
From: Holger.Woehle () arcor net
Date: Mon, 12 Aug 2002 11:06:43 +0100
Hello, I am using snort 1.8.7 Linux Kernel 2.4.18 Intel Pentium 4 with 256 MByte RAM. Please see attached snort dump (snort -b ) with the attack dump and the snort.conf. with regards Holger (See attached file: snort.tar.gz) Chris Green <cmg () sourcefire com> 09.08.2002 13:28 Bitte antworten an snort-users () lists sourceforge net An: Holger Wöhle/PSD/Eschborn/Arcor@Arcor Kopie: snort-users () lists sourceforge net Thema: Re: [Snort-users] snort sees no fragmented attack
Holger.Woehle () arcor net writes:
Hello, why does snort sees the following attack: echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc Snort does not reassemble the packet, and so he does not recognize this attack!
Snort Version? OS? Platform? Have you tried against 1.9beta2?
Can i adjust the preprozessors or the rule to catch this attack ? alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;)
Please send me traffic captures of this attack if you can. I would like to see why it's not working in your enviroment. tcpdump -i eth0 -s 1514 host attackerip -w fragmented-ps.cap -- Chris Green <cmg () sourcefire com> A good pun is its own reword.
Attachment:
snort.tar.gz
Description:
Current thread:
- Antwort: Re: snort sees no fragmented attack Holger . Woehle (Aug 12)