Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort, nessus and teardrop

From: Erek Adams <erek () snort org>
Date: Fri, 28 Feb 2003 08:26:00 -0500 (EST)
On Fri, 28 Feb 2003, [iso-8859-1] Svein Erik Søberg wrote:


I have used Nessus to send a Teardrop attack. The resulting packets look
like this:

14:43:46.659165 192.168.1.19.ntp > 192.168.1.25.netbios-ns:  [bad udp
cksum b549!] [len=28] v0 unspec strat 0 poll 0 prec 0 dist 0.000000 disp
12544.000000 ref (unspec)@503316480.269531250 [|ntp] (frag 242:36@0+)
(ttl 64, len 56)
                       4500 0038 00f2 2000 4011 d646 c0a8 0113
                       c0a8 0119 007b 0089 0008 7b5d 0000 0000
                       0000 0000 3100 0000 0104 0000 1e00 0000
                       4500 0038 00f2 2000


Apart from the frag2 preprocessor, that I have to admit I know little
about, there is also a rule in dos.rules:

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack";
id:242; fragbits:M; reference:cve,CAN-1999-0015;
reference:url,www.cert.org/advisories/CA-1997-28.html;
reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;)


So just in case, I diasbled all preprocessors and ran the tcpdump file
again without response.

Now, as far as I can tell, the above is a udp packet with id= 0xf2 = 242
and the more frag bit is set. In the conf file the Home_Net variable is
set to 192.168.1.25/32 and External_Net to !$Home_Net, so the packet
should match the rule.

Eventually I commented out all rules, except for one that I made to
trigger on any ip traffic between the two addresses above, and it did.
When I substituted 'ip' with 'udp', Snort didn't log any of the Nessus
generated traffic, but lots of other udp traffic. In addition, using
port numbers in the rule failed to catch the teardrop packets both in
combination with 'ip' and 'udp'.

I have no problems with catching the packets with tcpdump and relevant
filters though. Can anyone see any reason why my Snort doesn't even
recognize the packets as udp?

Oh, and I've already had a few drinks just in case I'm ignoring
something b****y obvious.


The way you descirbe it:  It seems you ran Nessus, executed that attack,
used tcpdump to record it, then replayed it thru Snort.  If so, what
snaplen was used with tcpdump?  It defaults to 68....  Sometimes (most of
the time) that's not enough to capture the data needed to triger rules.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: