[Snort-users] Stupid rule question

Jim Forster jforster at ...176...
Mon Mar 26 15:46:35 EST 2001


Yep - ports are backwards.  I'll fix it this afternoon if I get a
second.
I've seen a few kiddies scanning for telnet, cmd, ftp, etc. on the NT
servers here, so I just added it to catch them.
(Although the reversed ports seem to have hit the database)  :P


Fyodor wrote:
> 
> On Mon, Mar 26, 2001 at 11:50:24AM -0700, Ryan Russell wrote:
> > So, I'm looking at some of the rules on the snort.org site, and there are
> > several like this under the WEB-MISC category:
> >
> > alert tcp $EXTERNAL_NET 80 -> $HTTP_SERVERS any (msg:"WEB-MISC telnet
> > attempt";flags: A+; content:"telnet.exe"; nocase;)
> >
> > My question has to do with the port numbers.  If I'm reading this right,
> > the rule is looking for packets from outside, from TCP port 80, to your
> > web servers, on any port.  By my thinking, this implies your web servers
> > acting as web clients to outside machines.  And, it's looking for
> > telnet.exe in the content, implying that your web server has downloaded a
> > page with that in it.  I'm not even sure what exploit this would be for...
> > any client-side holes I would expect to use telnet:// instead.
> >
> > If the any and 80 were reversed, it would make sense to me... it would be
> > watching for an attempt to call telnet.exe on your web server.
> >
> > What am I misunderstanding?
> 
> Unless the port number is misplaced (i.g. the right way to have this rule would
> be 'alert tcp $EXTERNAL any -> $HTTP_SERVERS 80 (..)' the purpose of this rule
> is not clear to me either. IMHO there are possibilities that someone from outside
> may want to exec reverse telnet on your webserver and pipe something to it, but...
> 
> Hmm.. a few things which I could think of are:
> 
> * your firewall  is missconfigured and allows port 80 connections to both
> directions you may want to see if anyone from outside will use port 80 as
> source and attempt to connect to your webserver (why only webserver then?:))
> and launch reverse telnet or something.. still kinda dodgy model, cuz you
> probably would want to fix your firewall first in this case. :)
> 
> * someone will use your http server to bounce requests to some other server where
> he would be able to exec telnet.exe (and the binary name will be in HTTP headers),
> and you want to see it as well, but it sounds kinda far-fetched to me, I don't remember
> any real-world vulnerabilities matching this pattern. :)
> 
> if it helps.. :)
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list