[Snort-devel] Snort v2 and flags ECE/CWR ...

rmkml rmkml at ...1042...
Wed Apr 16 12:35:06 EDT 2003


ok solved,

In my conf, I add detect_scans in your stream4 preprocessor ...

but detect_scans is default config,

and snort not detect this packet on default config ...

Fix this ?

Thanks for your help.

Regard.



Chris Green wrote:

> rmkml <rmkml at ...1042...> writes:
>
> > I tested this rules and snort v2 don't event :
> >
> > alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1;)
> >
> > alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF2;)
> >
> > alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,12;)
> >
> > alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,1;)
> >
> > alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1,2;)
> >
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE 1"; flags:SF1;)
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE 2"; flags:SF2;)
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE 3"; flags:SF,12;)
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE 4"; flags:SF,1;)
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE 5"; flags:SF1,2;)
>
>     TCP: 4          (100.000%)         ALERTS: 2
>     UDP: 0          (0.000%)          LOGGED: 2
>    ICMP: 0          (0.000%)          PASSED: 0
> 04/02-08:32:28.928704  [**] [1:0:0] Snort 191 bypass ECE 2 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536
> 04/02-08:32:39.742288  [**] [1:0:0] Snort 191 bypass ECE 1 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536
>
> > alert any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,12;)
> > (with this rules, snort stop and log this msg : bad protocol any,
> > but this rules is same on your web page :
> > http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.13
> > error in your doc ?)
> >
> > cgreen: There are no packets in your dump that match either of those
> > cgreen: rules specifically.
>
> I did misread that capture. However"
>
> preprocessor stream4
> preprocessor stream4_reassemble
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE 1"; flags:SF1;)
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE 2"; flags:SF2;)
>
> Creates:
>
> 04/02-08:32:28.928704  [**] [1:0:0] Snort 191 bypass ECE 2 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536
> 04/02-08:32:39.742288  [**] [1:0:0] Snort 191 bypass ECE 1 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536
>
> --
> Chris Green <cmg at ...402...>
> Fame may be fleeting but obscurity is forever.





More information about the Snort-devel mailing list