[Snort-users] snort sees no fragmented attack
cmg at ...1935...
Fri Aug 9 05:35:02 EDT 2002
Holger.Woehle at ...2701... writes:
> why does snort sees the following attack:
> echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
> Snort does not reassemble the packet, and so he does not recognize
> this attack!
Snort Version? OS? Platform? Have you tried against 1.9beta2?
> Can i adjust the preprozessors or the rule to catch this attack ?
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps
> command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328;
> classtype:web-application-attack; rev:4;)
Please send me traffic captures of this attack if you can. I would
like to see why it's not working in your enviroment.
tcpdump -i eth0 -s 1514 host attackerip -w fragmented-ps.cap
Chris Green <cmg at ...1935...>
A good pun is its own reword.
More information about the Snort-users