Snort mailing list archives
Problem with flow:established
From: Michael Schwartzkopff <misch () multinet de>
Date: Sat, 17 May 2003 10:26:59 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I tried to solve a hacking challenge and found the following tcp stream (please see attached tcpdump log). I think the hacker exploited a SUN using the dtspcd bug (sid: 1398). I checked the capture with snort version 2.0.0 (Build 72), but no alert or warning: /usr/local/bin/snort -r mylog.log -c /etc/snort.conf If I change the rule for sid 1398 and delete the "established" from the flow statement I get the correct warning. Can please somebody explain me the strange behaviour? Thanks. Sincerely, - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+40 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP-ID: 15F925D9CEF94F2C Fingerprint: AF27 2674 4631 E230 B431 F68D 15F9 25D9 CEF9 4F2C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+xfJWFfkl2c75TywRAp7uAJ9O5LiYgIvNYpfECPR0EFOjFjwOuQCePRlX 64uaBX1rm3Pb8jlTlN3nY10= =KXDT -----END PGP SIGNATURE-----
Attachment:
mylog.log
Description:
Current thread:
- Problem with flow:established Michael Schwartzkopff (May 17)