[Snort-users] Snort+flexresp

Onie Camara neil at ...4898...
Thu Mar 28 17:16:51 EST 2002


Hi Bamm,

It worked when I modified resp:rst_all.  I placed a space after resp:

But flex-resp, from my testing, only sometimes kill my tcp session.

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from
anonymous"; flags:!R ; resp: rst_all;content:"anonymous";
classtype:not-suspicious; sid:1717; rev:2;)

So when i ftp to somewhere from the commandline, right after pressing Enter
key on the anonymous entry on username,
I get disconnected. I got impressed with that. But I tried it again, it
allowed me to login.

I tried both rst_all and rst_snd, same behavior.

So looks like, flex-resp code is not ready for production.


----- Original Message -----
From: "Bamm Visscher" <bamm at ...539...>
To: "Onie Camara" <neil at ...4898...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, March 28, 2002 6:04 PM
Subject: Re: [Snort-users] Snort+flexresp


> Neil,
>
> Try logging all the packets associated with your session and look to see
> that there are RESETs being sent. It should work.
>
> Bammkkkk
>
> On Thu, 2002-03-28 at 09:50, Onie Camara wrote:
> > Ok. I created a rule.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from
> > anonymous"; flags:!R ; resp:rst_all;content:"anonymous";
> > classtype:not-suspicious; sid:1717; rev:2;)
> >
> > And here is the log:
> >
> > [**] [1:1717:2] FTP access from anonymous [**]
> > [Classification: Not Suspicious Traffic] [Priority: 3]
> > 03/28-09:45:49.271952 192.168.0.112:1062 -> 129.128.5.191:21
> > TCP TTL:64 TOS:0x10 ID:60673 IpLen:20 DgmLen:68 DF
> > ***AP*** Seq: 0xF518481  Ack: 0x678EB95E  Win: 0x8218  TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 11758512 213343883
> >
> > You mentioned that flex-resp is friendly to ssh, ftp, .etc. How come my
> > session
> > wasn't kill by my rule?
> >
> > What's wrong with my rule? I even tried it with flags: A+, still didn't
> > work.
> > But I still admin that I am not good on those flags.
> >
> > Thank you.
> >
> >
> > ----- Original Message -----
> > From: "Bamm Visscher" <bamm at ...539...>
> > To: "Ronneil Camara" <ronneilc at ...4042...>
> > Cc: <snort-users at lists.sourceforge.net>
> > Sent: Wednesday, March 27, 2002 7:06 AM
> > Subject: RE: [Snort-users] Snort+flexresp
> >
> >
> > > Neil,
> > >
> > > There is no way to force flex-resp to be successful against HTTP. Most
> > > of the time, the source of an HTTP connection sends five packets. Two
> > > for establishing the session (syn then ack), and two to tear down the
> > > session (fin/ack and ack). Plus one that contains the GET/POST/etc
> > > request (usually a push/ack). It is impossible for flex-resp to kill
> > > this session before the dest gets the GET/POST/etc, and thus it is
> > > impossible to create a rule to prevent the server from processing the
> > > GET/POST/etc request. If for some reason, the GET/POST/etc contains so
> > > much data that it is spread across multiple packets, then you may have
a
> > > slim chance at killing the session before the dest processes the
request
> > > (may the network lag be with you).
> > >
> > > The dest is going to send as many packets as it takes to return the
info
> > > requested, but killing the connection at that time is almost pointless
> > > since the server has already processed the perps request/command. At
> > > best you might prevent the perp from seeing all the results of a
> > > directory listing.
> > >
> > > BTW, this is not a snort specific problem. It affect every IDS using
> > > tcp-resets to kill connections.
> > >
> > > Bammkkkk
> > >
> > >
> > > On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:
> > > > Hi Bamm,
> > > >
> > > > I got impressed on how you answered your every post on this thread.
> > > > So now, what can you suggest me so that flex-resp will be successful
on
> > > > killing connections let say for http?
> > > >
> > > > Thank you very much.
> > > >
> > > > Neil
> > > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list