[Snort-users] Snort+flexresp

Onie Camara neil at ...4898...
Thu Mar 28 20:50:02 EST 2002


Ok. I do understand your point. But again, I am still on the testing stage.
I am the only one that does ftp testing.
And I know if I am using uppercase or lowercase.
In this case, I am 100% sure that I am using a lowercase "anonymous" string.

In the future, I will use nocase. :-)

----- Original Message -----
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
To: "'Onie Camara '" <neil at ...4898...>; "Sheahan, Paul (PCLN-NW)"
<Paul.Sheahan at ...2218...>; "''Bamm Visscher' '" <bamm at ...539...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, March 28, 2002 10:44 PM
Subject: RE: [Snort-users] Snort+flexresp


> What I meant is, if you look at your rule below, you are looking for the
> content of "anonymous", but you don't have the nocase keyword entered in
> your rule. So if your FTP client had "anonymous" appear as "Anonymous" or
> "ANONYMOUS", then your rule would fail. In other words, I always try and
use
> the nocase option, especially when a rule is not working as I expect, but
> nocase makes it fool-proof and helps me rule out the content as being the
> problem....
>
> -----Original Message-----
> From: Onie Camara
> To: Sheahan, Paul (PCLN-NW); 'Bamm Visscher'
> Cc: snort-users at lists.sourceforge.net
> Sent: 3/28/02 8:27 PM
> Subject: Re: [Snort-users] Snort+flexresp
>
> Hi Paul,
>
> Are you talking about the string "anonymous" and snort's case
> sensitivity?
> If so, I wasn't using the anonymous string in uppercase. I am very sure
> of
> that.
>
> Or I misunderstood your post?
>
> Thanks.
>
> ----- Original Message -----
> From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
> To: "'Bamm Visscher'" <bamm at ...539...>; "Onie Camara"
> <neil at ...4898...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Thursday, March 28, 2002 7:13 PM
> Subject: RE: [Snort-users] Snort+flexresp
>
>
> > Neil,
> >
> > I would stick the "nocase" option in your rule in case "anonymous"
> appears
> > in upper or mixed case. That has solved a few similar problems for
> me....
> >
> >
> >
> > Paul Sheahan
> > Manager of Information Security
> > Priceline.com
> > paul.sheahan at ...2218...
> >
> >
> >
> > -----Original Message-----
> > From: Bamm Visscher [mailto:bamm at ...539...]
> > Sent: Thursday, March 28, 2002 7:04 PM
> > To: Onie Camara
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Snort+flexresp
> >
> >
> > Neil,
> >
> > Try logging all the packets associated with your session and look to
> see
> > that there are RESETs being sent. It should work.
> >
> > Bammkkkk
> >
> > On Thu, 2002-03-28 at 09:50, Onie Camara wrote:
> > > Ok. I created a rule.
> > >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from
> > > anonymous"; flags:!R ; resp:rst_all;content:"anonymous";
> > > classtype:not-suspicious; sid:1717; rev:2;)
> > >
> > > And here is the log:
> > >
> > > [**] [1:1717:2] FTP access from anonymous [**]
> > > [Classification: Not Suspicious Traffic] [Priority: 3]
> > > 03/28-09:45:49.271952 192.168.0.112:1062 -> 129.128.5.191:21
> > > TCP TTL:64 TOS:0x10 ID:60673 IpLen:20 DgmLen:68 DF
> > > ***AP*** Seq: 0xF518481  Ack: 0x678EB95E  Win: 0x8218  TcpLen: 32
> > > TCP Options (3) => NOP NOP TS: 11758512 213343883
> > >
> > > You mentioned that flex-resp is friendly to ssh, ftp, .etc. How come
> my
> > > session
> > > wasn't kill by my rule?
> > >
> > > What's wrong with my rule? I even tried it with flags: A+, still
> didn't
> > > work.
> > > But I still admin that I am not good on those flags.
> > >
> > > Thank you.
> > >
> > >
> > > ----- Original Message -----
> > > From: "Bamm Visscher" <bamm at ...539...>
> > > To: "Ronneil Camara" <ronneilc at ...4042...>
> > > Cc: <snort-users at lists.sourceforge.net>
> > > Sent: Wednesday, March 27, 2002 7:06 AM
> > > Subject: RE: [Snort-users] Snort+flexresp
> > >
> > >
> > > > Neil,
> > > >
> > > > There is no way to force flex-resp to be successful against HTTP.
> Most
> > > > of the time, the source of an HTTP connection sends five packets.
> Two
> > > > for establishing the session (syn then ack), and two to tear down
> the
> > > > session (fin/ack and ack). Plus one that contains the GET/POST/etc
> > > > request (usually a push/ack). It is impossible for flex-resp to
> kill
> > > > this session before the dest gets the GET/POST/etc, and thus it is
> > > > impossible to create a rule to prevent the server from processing
> the
> > > > GET/POST/etc request. If for some reason, the GET/POST/etc
> contains so
> > > > much data that it is spread across multiple packets, then you may
> have
> a
> > > > slim chance at killing the session before the dest processes the
> request
> > > > (may the network lag be with you).
> > > >
> > > > The dest is going to send as many packets as it takes to return
> the
> info
> > > > requested, but killing the connection at that time is almost
> pointless
> > > > since the server has already processed the perps request/command.
> At
> > > > best you might prevent the perp from seeing all the results of a
> > > > directory listing.
> > > >
> > > > BTW, this is not a snort specific problem. It affect every IDS
> using
> > > > tcp-resets to kill connections.
> > > >
> > > > Bammkkkk
> > > >
> > > >
> > > > On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:
> > > > > Hi Bamm,
> > > > >
> > > > > I got impressed on how you answered your every post on this
> thread.
> > > > > So now, what can you suggest me so that flex-resp will be
> successful
> > on
> > > > > killing connections let say for http?
> > > > >
> > > > > Thank you very much.
> > > > >
> > > > > Neil
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list