[Snort-users] Bug/Feature in Snort?

Martin Roesch roesch at ...1935...
Sun Mar 10 20:59:12 EST 2002


That doesn't look right.  Can you read your BUGS file and fill in the
information that we need to perform a proper analysis of the problem?

     -Marty

On 3/10/02 6:27 PM, "Paul Farley" <Paul.Farley at ...5111...> wrote:

> All,  
> 
> If you observe the TTL values for all three of the alerts, the 1st and
> 3rd packets have a TTL of  115, which is reasonable considering this
> attack originates from Windows hosts, and often the starting TTL value
> for Windows hosts is 128.  The 2nd packet however has a TTL of 255,
> which is inconsistent with the other two packets.  In addition the
> sequence numbers are not in order as expected (unless packets arrived
> out of order and then they would still be close to each other), and
> further caused me to question the 2nd alert.
> 
> "Packet #1" Snort Timestamp - 02/16-03:25:26.647724 , Seq # 0xE74AC174
> "Packet #2" Snort Timestamp - 02/16-03:25:26.843748 , Seq # 0x74C14AE7
> "Packet #3" Snort Timestamp - 02/16-03:25:27.137076 , Seq # 0xE75FC315
> 
> "Packet #2" appears to be an ack from my server back to the attacker, so
> I'm puzzled about why the alert fired on that packet and reported it
> attacker -> my.net and the TTL for that packet is 127, not 255.
> 
> Could this be a Snort bug or am I missing something obvious?
> 
> The Snort Alert:
> 
> [**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/16-03:25:26.647724 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26092 IpLen:20 DgmLen:112 DF
> ***AP*** Seq: 0xE74AC174  Ack: 0x4A529D53  Win: 0x4470  TcpLen: 20
> [Xref => http://www.cert.org/advisories/CA-2001-19.html]
> 
> [**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/16-03:25:26.843748 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:112
> ***AP*** Seq: 0x74C14AE7  Ack: 0x74C14AE7  Win: 0x4428  TcpLen: 20
> [Xref => http://www.cert.org/advisories/CA-2001-19.html]
> 
> [**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/16-03:25:27.137076 66.76.77.48:4889 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26172 IpLen:20 DgmLen:162 DF
> ***AP*** Seq: 0xE75FC315  Ack: 0x4A558268  Win: 0x4470  TcpLen: 20
> [Xref => http://www.cert.org/advisories/CA-2001-19.html]
> 
> 
> The snort rule that fired the alert:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
> root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase;
> classtype:web-application-attack;
> reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:3;)
> 
> Summary of traffic between the two hosts on port 4832 and port 80(the
> first two alerts).
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 02/16-03:25:26.575601 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26085 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0xE74AC173  Ack: 0x0  Win: 0x4000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:26.577224 MY.NET.9.170:80 -> 66.76.77.48:4832
> TCP TTL:127 TOS:0x0 ID:49656 IpLen:20 DgmLen:48 DF
> ***A**S* Seq: 0x4A529D52  Ack: 0xE74AC174  Win: 0x4470  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:26.636690 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26091 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0xE74AC174  Ack: 0x4A529D53  Win: 0x4470  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:26.647724 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26092 IpLen:20 DgmLen:112 DF
> ***AP*** Seq: 0xE74AC174  Ack: 0x4A529D53  Win: 0x4470  TcpLen: 20
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F  GET /scripts/roo
> 74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54  t.exe?/c+dir HTT
> 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77  P/1.0..Host: www
> 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63  ..Connnection: c
> 6C 6F 73 65 0D 0A 0D 0A                          lose....
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:26.843748 MY.NET.9.170:80 -> 66.76.77.48:4832
> TCP TTL:127 TOS:0x0 ID:49657 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x4A529D53  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:26.980743 MY.NET.9.170:80 -> 66.76.77.48:4832
> TCP TTL:127 TOS:0x0 ID:49658 IpLen:20 DgmLen:228 DF
> ***AP*** Seq: 0x4A529D53  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20
> 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
> 0A 53 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F  .Server: Microso
> 66 74 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65  ft-IIS/5.0..Date
> 3A 20 53 61 74 2C 20 31 36 20 46 65 62 20 32 30  : Sat, 16 Feb 20
> 30 32 20 30 38 3A 32 33 3A 32 39 20 47 4D 54 0D  02 08:23:29 GMT.
> 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61  .Content-Type: a
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:26.983042 MY.NET.9.170:80 -> 66.76.77.48:4832
> TCP TTL:127 TOS:0x0 ID:49659 IpLen:20 DgmLen:1500 DF
> ***AP*** Seq: 0x4A529E0F  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20
> 20 44 69 72 65 63 74 6F 72 79 20 6F 66 20 63 3A   Directory of c:
> 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73  \inetpub\scripts
> 0D 0A 0D 0A 30 32 2F 31 30 2F 32 30 30 32 20 20  ....02/10/2002
> 30 33 3A 30 39 61 20 20 20 20 20 20 3C 44 49 52  03:09a      <DIR
> 3E 20 20 20 20 20 20 20 20 20 20 2E 0D 0A 30 32  >          ...02
> 2F 31 30 2F 32 30 30 32 20 20 30 33 3A 30 39 61  /10/2002  03:09a
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:26.983407 MY.NET.9.170:80 -> 66.76.77.48:4832
> TCP TTL:127 TOS:0x0 ID:49660 IpLen:20 DgmLen:420 DF
> ***AP*** Seq: 0x4A52A3C3  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20
> 30 39 3A 33 32 70 20 20 20 20 20 20 20 20 20 20  09:32p
> 20 20 20 20 20 20 20 20 20 30 20 54 46 54 50 31           0 TFTP1
> 37 39 36 0D 0A 30 39 2F 31 39 2F 32 30 30 31 20  796..09/19/2001
> 20 30 32 3A 31 36 61 20 20 20 20 20 20 20 20 20   02:16a
> 20 20 20 20 20 20 20 20 20 20 30 20 54 46 54 50            0 TFTP
> 31 38 36 38 0D 0A 31 30 2F 32 39 2F 32 30 30 31  1868..10/29/2001
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:27.059130 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26157 IpLen:20 DgmLen:40 DF
> *****R** Seq: 0xE74AC1BC  Ack: 0xE759BEB6  Win: 0x0  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:27.079110 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26162 IpLen:20 DgmLen:40
> *****R** Seq: 0xE74AC1BC  Ack: 0xE74AC1BC  Win: 0x0  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 02/16-03:25:27.080710 66.76.77.48:4832 -> MY.NET.9.170:80
> TCP TTL:115 TOS:0x0 ID:26163 IpLen:20 DgmLen:40
> *****R** Seq: 0xE74AC1BC  Ack: 0xE74AC1BC  Win: 0x0  TcpLen: 20
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+
> 
> 
> Regards,
> 
> Paul Farley
> EventLevel, Inc.
> 678-429-2716
> Paul.Farley at ...5111...
> SMS Message: 6784292716 at ...5208...
> http://www.eventlevel.com
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list