Snort mailing list archives
stream reassemble and dsize
From: Holger.Woehle () arcor net
Date: Tue, 1 Oct 2002 09:38:01 +0100
Hello, i have a question about stream reassembling and dsize: Am i right that dsize only looks in the current packet not in the whole reassembled stream ? Why i ask: There is a exploit in an older apache called "Authorization:Basic" but this problem belongs to all attacks dealing with such buffer overflows like "to long url" "to long POST" a.s.o . Sample attack: #!/bin/sh echo -n "GET / HTTP/1.0" echo -n $'\n'"Authorization: Basic" count=0 fillin=2048 while [ "$count" -lt $fillin ] do echo -n "X" let "count+=1" done echo -n $'\r'$'\n'$'\r'$'\n' piping this to netcat, snort recognises the attack with the standart rule in web-misc.rules . This belongs to snort-1.8 and snort-1.9 . Now the attacker sets his ethernet mtu to 100 (ifconfig eth0 mtu 100) and starts the attack a second time. Now snort, neither 1.8 nor 1.9 (the rules handling differs. See A+ against the flow:established keywords) detects the scan. snort1.8 rule : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flags:A+; content:"Authorization\: Basic "; nocase; dsize:>1000; classtype:attempted-dos; reference:bugtraq,3230; sid:1260; rev:5;) snort1.9 rule : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization\: Basic "; nocase; dsize:>1000; classtype:attempted-dos; reference:bugtraq,3230; sid:1260; rev:5;) I think this is why dsize only recognizes packets with dsize under 100 in that case . If a set up the mtu to 1000 both snorts detect the scan. I screwed a little with stream4 parameters but nothing helps. How can i detect such an attack ? with regards Holger ------------------------------------------------------- This sf.net email is sponsored by: DEDICATED SERVERS only $89! Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream reassemble and dsize Holger . Woehle (Oct 01)
- Re: stream reassemble and dsize Martin Roesch (Oct 01)