[Snort-users] Snort+flexresp

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Thu Mar 28 20:45:03 EST 2002


What I meant is, if you look at your rule below, you are looking for the
content of "anonymous", but you don't have the nocase keyword entered in
your rule. So if your FTP client had "anonymous" appear as "Anonymous" or
"ANONYMOUS", then your rule would fail. In other words, I always try and use
the nocase option, especially when a rule is not working as I expect, but
nocase makes it fool-proof and helps me rule out the content as being the
problem....

-----Original Message-----
From: Onie Camara
To: Sheahan, Paul (PCLN-NW); 'Bamm Visscher'
Cc: snort-users at lists.sourceforge.net
Sent: 3/28/02 8:27 PM
Subject: Re: [Snort-users] Snort+flexresp

Hi Paul,

Are you talking about the string "anonymous" and snort's case
sensitivity?
If so, I wasn't using the anonymous string in uppercase. I am very sure
of
that.

Or I misunderstood your post?

Thanks.

----- Original Message -----
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
To: "'Bamm Visscher'" <bamm at ...539...>; "Onie Camara"
<neil at ...4898...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, March 28, 2002 7:13 PM
Subject: RE: [Snort-users] Snort+flexresp


> Neil,
>
> I would stick the "nocase" option in your rule in case "anonymous"
appears
> in upper or mixed case. That has solved a few similar problems for
me....
>
>
>
> Paul Sheahan
> Manager of Information Security
> Priceline.com
> paul.sheahan at ...2218...
>
>
>
> -----Original Message-----
> From: Bamm Visscher [mailto:bamm at ...539...]
> Sent: Thursday, March 28, 2002 7:04 PM
> To: Onie Camara
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort+flexresp
>
>
> Neil,
>
> Try logging all the packets associated with your session and look to
see
> that there are RESETs being sent. It should work.
>
> Bammkkkk
>
> On Thu, 2002-03-28 at 09:50, Onie Camara wrote:
> > Ok. I created a rule.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from
> > anonymous"; flags:!R ; resp:rst_all;content:"anonymous";
> > classtype:not-suspicious; sid:1717; rev:2;)
> >
> > And here is the log:
> >
> > [**] [1:1717:2] FTP access from anonymous [**]
> > [Classification: Not Suspicious Traffic] [Priority: 3]
> > 03/28-09:45:49.271952 192.168.0.112:1062 -> 129.128.5.191:21
> > TCP TTL:64 TOS:0x10 ID:60673 IpLen:20 DgmLen:68 DF
> > ***AP*** Seq: 0xF518481  Ack: 0x678EB95E  Win: 0x8218  TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 11758512 213343883
> >
> > You mentioned that flex-resp is friendly to ssh, ftp, .etc. How come
my
> > session
> > wasn't kill by my rule?
> >
> > What's wrong with my rule? I even tried it with flags: A+, still
didn't
> > work.
> > But I still admin that I am not good on those flags.
> >
> > Thank you.
> >
> >
> > ----- Original Message -----
> > From: "Bamm Visscher" <bamm at ...539...>
> > To: "Ronneil Camara" <ronneilc at ...4042...>
> > Cc: <snort-users at lists.sourceforge.net>
> > Sent: Wednesday, March 27, 2002 7:06 AM
> > Subject: RE: [Snort-users] Snort+flexresp
> >
> >
> > > Neil,
> > >
> > > There is no way to force flex-resp to be successful against HTTP.
Most
> > > of the time, the source of an HTTP connection sends five packets.
Two
> > > for establishing the session (syn then ack), and two to tear down
the
> > > session (fin/ack and ack). Plus one that contains the GET/POST/etc
> > > request (usually a push/ack). It is impossible for flex-resp to
kill
> > > this session before the dest gets the GET/POST/etc, and thus it is
> > > impossible to create a rule to prevent the server from processing
the
> > > GET/POST/etc request. If for some reason, the GET/POST/etc
contains so
> > > much data that it is spread across multiple packets, then you may
have
a
> > > slim chance at killing the session before the dest processes the
request
> > > (may the network lag be with you).
> > >
> > > The dest is going to send as many packets as it takes to return
the
info
> > > requested, but killing the connection at that time is almost
pointless
> > > since the server has already processed the perps request/command.
At
> > > best you might prevent the perp from seeing all the results of a
> > > directory listing.
> > >
> > > BTW, this is not a snort specific problem. It affect every IDS
using
> > > tcp-resets to kill connections.
> > >
> > > Bammkkkk
> > >
> > >
> > > On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:
> > > > Hi Bamm,
> > > >
> > > > I got impressed on how you answered your every post on this
thread.
> > > > So now, what can you suggest me so that flex-resp will be
successful
> on
> > > > killing connections let say for http?
> > > >
> > > > Thank you very much.
> > > >
> > > > Neil
> > > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list