[Snort-users] snort sees no fragmented attack

Holger.Woehle at ...2701... Holger.Woehle at ...2701...
Fri Aug 9 03:15:03 EDT 2002


>Hello,
>why does snort sees the following attack:
>
>echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/bcc/bin/ps" | nc
>
>The attacking station has the interface mtu set to 100!
>
>08/08-18:36:30.670126 0.0.0.0:33112 -> 0.0.0.0:80
>TCP TTL:63 TOS:0x0 ID:54348 IpLen:20 DgmLen:100 DF
>***A**** Seq: 0xD1AFFB8  Ack: 0xFCCF700E  Win: 0x400  TcpLen: 32
>TCP Options (3) => NOP NOP TS: 1846269 1840913
>47 45 54 20 2F 61 61 61 61 61 61 61 2F 61 61 61  GET /aaaaaaa/aaa
>2F 61 61 61 61 61 2F 61 61 61 61 61 61 61 61 2F  /aaaaa/aaaaaaaa/
>61 61 61 61 61 61 61 2F 62 63 63 2F 62 69 6E 2F  aaaaaaa/bcc/bin/
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>08/08-18:36:30.670152 0.0.0.0:33112 -> 0.0.0.0:80
>TCP TTL:63 TOS:0x0 ID:54349 IpLen:20 DgmLen:55 DF
>***AP*** Seq: 0xD1AFFE8  Ack: 0xFCCF700E  Win: 0x400  TcpLen: 32
>TCP Options (3) => NOP NOP TS: 1846269 1840913
>70 73 0A                                         ps.

>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>Snort does not reassemble the packet, and so he does not recognize this attack!
>Can i adjust the preprozessors or the rule to catch this attack ?
>
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps
command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328;
classtype:web-application-attack; rev:4;)
>
>
>with regards
>Holger Wöhle

...sorry i forgot to attach the snort.conf


(See attached file: snort.conf)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 18292 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020809/f77be05f/attachment.obj>


More information about the Snort-users mailing list