[Snort-users] snort sees no fragmented attack

Holger.Woehle at ...2701... Holger.Woehle at ...2701...
Fri Aug 9 02:30:02 EDT 2002


Hello,
why does snort sees the following attack:

echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc

The attacking station has the interface mtu set to 100!

08/08-18:36:30.670126 0.0.0.0:33112 -> 0.0.0.0:80
TCP TTL:63 TOS:0x0 ID:54348 IpLen:20 DgmLen:100 DF
***A**** Seq: 0xD1AFFB8  Ack: 0xFCCF700E  Win: 0x400  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1846269 1840913
47 45 54 20 2F 61 61 61 61 61 61 61 2F 61 61 61  GET /aaaaaaa/aaa
2F 61 61 61 61 61 2F 61 61 61 61 61 61 61 61 2F  /aaaaa/aaaaaaaa/
61 61 61 61 61 61 61 2F 62 63 63 2F 62 69 6E 2F  aaaaaaa/bcc/bin/

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/08-18:36:30.670152 0.0.0.0:33112 -> 0.0.0.0:80
TCP TTL:63 TOS:0x0 ID:54349 IpLen:20 DgmLen:55 DF
***AP*** Seq: 0xD1AFFE8  Ack: 0xFCCF700E  Win: 0x400  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1846269 1840913
70 73 0A                                         ps.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Snort does not reassemble the packet, and so he does not recognize this attack!
Can i adjust the preprozessors or the rule to catch this attack ?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps
command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328;
classtype:web-application-attack; rev:4;)


with regards
Holger Wöhle






More information about the Snort-users mailing list