[Snort-users] Problem with flow:established

Michael Schwartzkopff misch at ...3397...
Sat May 17 01:43:27 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I tried to solve a hacking challenge and found the following tcp stream 
(please see attached tcpdump log).

I think the hacker exploited a SUN using the dtspcd bug (sid: 1398). I checked 
the capture with snort version 2.0.0 (Build 72), but no alert or warning:
/usr/local/bin/snort -r mylog.log -c /etc/snort.conf

If I change the rule for sid 1398 and delete the "established" from the flow 
statement I get the correct warning. Can please somebody explain me the 
strange behaviour? Thanks.

Sincerely,

- -- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+40 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP-ID: 15F925D9CEF94F2C
Fingerprint: AF27 2674 4631 E230 B431  F68D 15F9 25D9 CEF9 4F2C

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE+xfJWFfkl2c75TywRAp7uAJ9O5LiYgIvNYpfECPR0EFOjFjwOuQCePRlX
64uaBX1rm3Pb8jlTlN3nY10=
=KXDT
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mylog.log
Type: text/x-log
Size: 5288 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030517/ebb098b3/attachment.bin>


More information about the Snort-users mailing list