[Snort-users] Should snort react this way?

Chris Green cmg at ...671...
Fri Jan 4 22:54:02 EST 2002


"Ronneil Camara" <ronneilc at ...4042...> writes:

> Hi to everyone on the list.
>
> I would just like to confirm if snort should really behave this way. I configured
> snort with flexresp. I added "resp: rst_all" on a rule in web-iis and attack-responses
> rule that is related to cmd.exe and http dir listing.
>
> I attacked my default installation of IIS server (unicode) then I was still able to
> see the dir listings but snort, fortunately send a RST to both parties.
>
> The parameter that I used was scripts/..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\+/s
>
> My question is, why is it that I was still able to see a dir listing of about
> 30%-40% of the complete listing before my internet browser sensed a RST?
>

Because it is a race condition between the machines talking and snort.
Since the Directory info can fit in a couple packets, its a race to
send the rst before the OS ( that had a head start ).

On a local net, you're going to have a very high "miss" statistic and
the more lag you have between the two end points, the more time you
will have to fire off rsts.

resp is a good try but its not 100% reliable.
-- 
Chris Green <cmg at ...671...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-users mailing list