[Snort-users] Bug in 1.8.1-RELEASE with flexresp?

Jason Haar Jason.Haar at ...294...
Wed Oct 3 16:17:02 EDT 2001


Snort system: RH 6.2 with snort-1.8.1-RELEASE with libnids-1.16 and
libnet-1.0.2a.

For a while I had the rule:

alert tcp any any -> any 80 (msg:"CodeRed blocker";flags: A+;
uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1243; rev:1;
resp:rst_all;)

Pretty severe, but I was worried about the IIS server there...

Anyway, it couldn't last. There were some internal users uploading binaries
to a Web server covered by the IDS, and their POSTs were failing... So I
look at the logs, and there are NO instances of snort whacking them. I'm
seeing "CodeRed blocker" log entries from true CodeRed scans, but nothing
related to these internal addresses having problems. Anyway, I disabled the
resp: part, and their problem was solved....

Turning it back on again, I got tcpdump running and they did the POST action
again - last half-dozen packets are RSETs from the Web server in question -
i.e. it *WAS* the flexresp rule triggering in.

Now, I realise that matching on a string like ".ida?" is quite likely to
have false positives, but *why* didn't Snort log it? I log via syslog and to
MySQL and neither of them showed these hits...

Anyone else seeing this problem?

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list