[Snort-users] stream reassemble and dsize

Holger.Woehle at ...2701... Holger.Woehle at ...2701...
Tue Oct 1 00:39:14 EDT 2002


Hello,
i have a question about stream reassembling and dsize:
Am i right that dsize only looks in the current packet not in the whole
reassembled stream ?
Why i ask:
There is a exploit in an older apache called "Authorization:Basic" but this
problem belongs to all attacks dealing
with such buffer overflows like "to long url" "to long POST" a.s.o .

Sample attack:

#!/bin/sh
echo -n "GET / HTTP/1.0"
echo -n $'\n'"Authorization: Basic"
count=0
fillin=2048
while [ "$count" -lt $fillin ]
do
     echo -n "X"
     let "count+=1"
done
echo -n $'\r'$'\n'$'\r'$'\n'

piping this to netcat, snort recognises the attack with the standart rule in
web-misc.rules . This belongs to snort-1.8 and snort-1.9 .
Now the attacker sets his ethernet mtu to 100 (ifconfig eth0 mtu 100) and starts
the attack a second time.
Now snort, neither 1.8 nor 1.9 (the rules handling differs. See A+ against the
flow:established keywords) detects the scan.
snort1.8 rule : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC long basic authorization string"; flags:A+;
content:"Authorization\: Basic "; nocase; dsize:>1000; classtype:attempted-dos;
reference:bugtraq,3230; sid:1260;  rev:5;)
snort1.9 rule : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC long basic authorization string"; flow:to_server,established;
content:"Authorization\: Basic "; nocase; dsize:>1000; classtype:attempted-dos;
reference:bugtraq,3230; sid:1260;  rev:5;)
I think this is why dsize only recognizes packets with dsize under 100 in that
case .
If a set up the mtu to 1000 both snorts detect the scan.
I screwed a little with stream4 parameters but nothing helps.
How can i detect such an attack ?

with regards
Holger









More information about the Snort-users mailing list