[Snort-devel] snort stateful inspection testing

Andrea Barisani lcars at ...360...
Sat Mar 16 07:25:06 EST 2002


Hi to all!

I'm implementing and IDS testing feature in my 'Firewall Tester' 
tool (http://www.infis.univ.trieste.it/~lcars/ftester) and I'm 
simulating a TCP handshake in order to spoof a real connection to
test snort stateful inspection. (the tool is client-server structured)

This is what the snort host see:

15:59:30.573688 10.1.7.1.1025 > 192.168.0.1.80: S [tcp sum ok] 11020:11028(8) win 65535 (DF) (ttl 200, id 1, len 48)
15:59:30.585081 192.168.0.1.80 > 10.1.7.1.1025: S [tcp sum ok] 12044:12044(0) ack 11021 win 65535 (DF) [tos 0x10]  (ttl 3, id 1, len 40)
15:59:31.611747 10.1.7.1.1025 > 192.168.0.1.80: . [tcp sum ok] ack 12045 win 65535 (DF) (ttl 200, id 2, len 40)
15:59:31.635338 10.1.7.1.1025 > 192.168.0.1.80: P [tcp sum ok] 11029:11036(7) ack 12045 win 65535 (DF) (ttl 200, id 3, len 47)

the last packet (.635338) contains the 'ftp.exe' payload, so it's 
supposed to trigger the 'WEB-MISC ftp attempt' alert.

Now without the '-z' options the alert is obviously triggered but 
with -z est the alert is triggered only the first time I simulate
the connection! The second time, with different random sequence 
numbers, snort is silent, and so on until I restart the process.

Where is the problem? It seems to me that seq and ack number are right.
Does snort need also the acknowledge for the last PSH before inspecting the
packet?

Thanks for any help :)

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars at ...360... - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------




More information about the Snort-devel mailing list