[Snort-devel] Bug in output, snort-2.0.0rc1

Neil Dickey neil at ...230...
Fri Apr 4 04:29:27 EST 2003


Marty,

Here's the bug:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] [1:884:8] WEB-CGI formmail access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
04/02-17:41:32.370549 0:1:64:73:31:4 -> 8:0:20:72:6C:D8 type:0x800 len:0x10A
209.172.117.221:3863 -> 131.156.8.6:80 TCP TTL:113 TOS:0x0 ID:63036 IpLen:20 DgmLen:252 DF
***AP*** Seq: 0xA8225612  Ack: 0xBC7F5FDC  Win: 0x7FFF  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS226][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172][Xref => 
http://www.se
curityfocus.com/bid/1187][Xref => http://cgi.nessus.org/plugins/dump.php3?id=10076][Xref => 
http://cgi.nessus.org/plugins/dump.php3?id=10
782]

[**] [1:1610:5] WEB-CGI formmail arbitrary command execution attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
04/02-19:40:49.635366 0:1:64:73:31:4 -> 8:0:20:13:12:E2 type:0x800 len:0x2F3
148.244.91.1:3331 -> 131.156.8.4:80 TCP TTL:45 TOS:0x0 ID:55692 IpLen:20 DgmLen:741 DF
***AP*** Seq: 0xE7CBC041  Ack: 0x93042534  Win: 0x1C84  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS226][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172][Xref => 
http://www.se
curityfocus.com/bid/1187][Xref => http://cgi.nessus.org/plugins/dump.php3?id=10076][Xref => 
http://cgi.nessus.org/plugins/dump.php3?id=10
782]

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I'm not sure how the linewrap will work out, but the references are no
longer nicely stacked in the alert output.  This occurs with rules other
than the ones in the example, and makes them difficult to read.

Here are my particulars:

Architecture:  Sun Sparc

OS:            Solaris2.7

Snort Ver:     Snort-2.0.0rc1

PreProcs:      preprocessor frag2
               preprocessor stream4: detect_scans, disable_evasion_alerts
               preprocessor stream4_reassemble: ports default
               preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
               preprocessor rpc_decode: 111 32771
               preprocessor bo
               preprocessor telnet_decode
               preprocessor portscan: $HOME_NET 3 5 /ash/log/snort_portscan.log
               preprocessor portscan-ignorehosts: [131.156.8.0/24,131.156.1.0/24,131.156.145.41,129.79.1.9,131.156.126.2]
               preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000
               preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60, log 
/ash/log/snort_portscan.log
               preprocessor portscan2-ignorehosts: 131.156.8.0/24 131.156.1.0/24 131.156.145.41 129.79.1.9 131.156.126.2

Rules:         Standard ruleset issued with this release of Snort.

Output:        output log_tcpdump: /ash/log/tcpdump.log

Snort Args:    snort -dDe -A full -h AAA.BBB.CCC.0/24 -l $LOGPATH -c $RULESPATH/$RULESNAME -o -k none 
               Invoked from a script:
                 LOGPATH="/ash/log"
                 RULESPATH="/etc"
                 RULESNAME="snort.conf"

Error Msg:     None

Sorry about the linewrapping.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-devel mailing list