[Snort-users] Reset Counters

Matt Kettler mkettler at ...4108...
Thu Jan 23 14:24:05 EST 2003

At 02:56 PM 1/23/2003 -0600, Bob McDowell wrote:

>Bring on the penalty drinks, but I need help.

Drink lots of water before bed and you shouldn't have too bad of a hangover :)

>True or False: 'USER overflow' rules are triggered by the same IP passing 
>too many 'USER' commands from the same IP within a specified amount of time.

False, snort rules cannot be time based and must be a stateless 
packet-match type deal. Thus these rules, nor any other, are based on any 
type of "n events within n seconds" type logic. Only preprocessors do that 
kind of thing (ie: spp_portscan).

>At first I thought this was how this worked.  Testing certainly seemed to 
>prove it out to be so.  If this is the case, I need to allow more 
>consecutive attempts before I sent a 'resp' packet.
>In researching the rule (specifically the FTP USER overflow rule) I can't 
>find anything that relates to my observation.  From looking at the rule, 
>it seems to examine the content of each packet - and not have anything to 
>do with the number of tries.

Correct, the FTP USER overflow rule will trigger if more than 100 bytes of 
data, containing the string "user", are sent before a response from the 
server is generated. Because of the stream4 preprocessor, this data may 
occur in multiple TCP data frames (ie: multiple IP layer packets), but 
stream4 should flush whenever the server responds with your typical 
"password required for user xxxxx" type deal. Someone more familiar with 
the inner workings of stream4 may be able to confirm/deny this behavior.

Also if your running snort prior to the current version (1.9.0), check the 
release notes to see if any versions fixed bugs in stream4. I know there 
have been several fixes to that preprocessor over time.

The idea here is to look for a buffer overflow attempt in the user command 
which happens when someone sends something like:

user xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<insert lots more x's, 
followed by stack-smash style shell code>

Several old versions of FTP daemon had such overflows, and no user login 
name I've ever seen has been over 80 characters :)

>Thus, confusion ensues.

Hope that explanation helps

>Any help would be greatly appreciated.  Also anything written more clearly 
>than the 'How to Write..' that might explain this would be great.  Maybe 
>I'm just tired, but it is giving me a headache.
>Bob McDowell
>IS Specialist
>Cox HealthPlans, LLC

More information about the Snort-users mailing list