[Snort-users] Reset Counters
mkettler at ...4108...
Thu Jan 23 14:24:05 EST 2003
At 02:56 PM 1/23/2003 -0600, Bob McDowell wrote:
>Bring on the penalty drinks, but I need help.
Drink lots of water before bed and you shouldn't have too bad of a hangover :)
>True or False: 'USER overflow' rules are triggered by the same IP passing
>too many 'USER' commands from the same IP within a specified amount of time.
False, snort rules cannot be time based and must be a stateless
packet-match type deal. Thus these rules, nor any other, are based on any
type of "n events within n seconds" type logic. Only preprocessors do that
kind of thing (ie: spp_portscan).
>At first I thought this was how this worked. Testing certainly seemed to
>prove it out to be so. If this is the case, I need to allow more
>consecutive attempts before I sent a 'resp' packet.
>In researching the rule (specifically the FTP USER overflow rule) I can't
>find anything that relates to my observation. From looking at the rule,
>it seems to examine the content of each packet - and not have anything to
>do with the number of tries.
Correct, the FTP USER overflow rule will trigger if more than 100 bytes of
data, containing the string "user", are sent before a response from the
server is generated. Because of the stream4 preprocessor, this data may
occur in multiple TCP data frames (ie: multiple IP layer packets), but
stream4 should flush whenever the server responds with your typical
"password required for user xxxxx" type deal. Someone more familiar with
the inner workings of stream4 may be able to confirm/deny this behavior.
Also if your running snort prior to the current version (1.9.0), check the
release notes to see if any versions fixed bugs in stream4. I know there
have been several fixes to that preprocessor over time.
The idea here is to look for a buffer overflow attempt in the user command
which happens when someone sends something like:
user xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<insert lots more x's,
followed by stack-smash style shell code>
Several old versions of FTP daemon had such overflows, and no user login
name I've ever seen has been over 80 characters :)
>Thus, confusion ensues.
Hope that explanation helps
>Any help would be greatly appreciated. Also anything written more clearly
>than the 'How to Write..' that might explain this would be great. Maybe
>I'm just tired, but it is giving me a headache.
>Cox HealthPlans, LLC
More information about the Snort-users