Antwort: Re: [Snort-users] snort sees no fragmented attack

Holger.Woehle at ...2701... Holger.Woehle at ...2701...
Mon Aug 12 02:09:02 EDT 2002


Hello,
I am using snort 1.8.7 Linux Kernel 2.4.18 Intel Pentium 4 with 256 MByte RAM.
Please see attached snort dump (snort -b ) with the attack dump and the
snort.conf.

with regards
Holger
(See attached file: snort.tar.gz)




Chris Green <cmg at ...1935...>
09.08.2002 13:28

Bitte antworten an snort-users at lists.sourceforge.net

An:     Holger Wöhle/PSD/Eschborn/Arcor at ...6581...
Kopie:  snort-users at lists.sourceforge.net
Thema:  Re: [Snort-users] snort sees no fragmented attack


-------------- next part --------------

Holger.Woehle at ...2701... writes:

> Hello,
> why does snort sees the following attack:
>
> echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
>
> Snort does not reassemble the packet, and so he does not recognize
> this attack!

Snort Version? OS? Platform? Have you tried against 1.9beta2?

> Can i adjust the preprozessors or the rule to catch this attack ?
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps
> command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328;
> classtype:web-application-attack; rev:4;)
>

Please send me traffic captures of this attack if you can.  I would
like to see why it's not working in your enviroment.

tcpdump -i eth0 -s 1514 host attackerip -w fragmented-ps.cap
--
Chris Green <cmg at ...1935...>
A good pun is its own reword.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.tar.gz
Type: application/octet-stream
Size: 7631 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020812/ef624c43/attachment.obj>


More information about the Snort-users mailing list