[Snort-users] Help to run snort on linux machine

sri harsha harsha536 at ...11827...
Wed Apr 7 03:30:48 EDT 2010


Hi Again,

I tried using default snort configuration file with snort version 2.8.5.1
and send attack using snot tool with just one rule as below in my local rule
file,

./snort -r local.rules -d <des ip> -s <src ip>

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format
string attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"EXEC"; distance:0; nocase;
pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; metadata:policy balanced-ips
drop, policy connectivity-ips drop, policy security-ips drop, service ftp;
reference:bugtraq,1387; reference:bugtraq,1505; classtype:bad-unknown;
sid:1971; rev:8;)

When just 1 packet sent using snot no attack detected. With 50 and 500 same
result. But when I sent 5000 same packets I see below logs in
/var/log/snort/alert file.

[**] [1:2417:4] FTP format string attempt [**]
[Classification: A suspicious string was detected] [Priority: 3]
04/07-07:21:05.936540 76.0.0.10:44250 -> 4.4.4.10:21
TCP TTL:99 TOS:0x0 ID:45715 IpLen:20 DgmLen:274
1******F Seq: 0xAF06E880  Ack: 0x254D0D18  Win: 0x5CE3  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2074][Xref =>
http://www.securityfocus.com/bid/9800]

What does this mean? I see multiple such logs. Does this mean attack
detected or something else? Also why it start detecting only when I sent
huge number of packets( > 5000)?

Rgds,
Sriharsha


On Wed, Apr 7, 2010 at 11:45 AM, sri harsha <harsha536 at ...11827...> wrote:

> Thanks for the quick response.
>
> Does anybody know any tool which generates attack packets which are
> stateful in nature and I can use that tool to test snort? I mean it
> establishes the TCP connection and then send attack packets?
>
> Sriharsha
>
> 2010/4/6 Edward Bjarte Fjellskål <edward.fjellskal at ...14590...>
>
> sri harsha wrote:
>> > Hi All,
>> >
>> > I am using snort version 2.8.5.1 and trying to understand how it works.
>> > I posted the same query earlier but did not get enough response. I am
>> > simulating attack packets using tool called snot. This tool generates
>> > attack packets which are basically stateless in nature. I mean it
>> > generates packets without proper 3 way TCP handshake. But snort is not
>> > detecting those attacks.
>>
>> The attacks are not real... they would not have any affect in real life :)
>> IE, how would a ftp attack that needs the user to log in etc, be
>> effective if there is just one stateless packet?
>>
>> Say your tool sends a "mkdir Evil-buffer-overflow" when your ftp server
>> does not handle that packet, cuz you need first to have a 3whs, a login
>> etc.
>>
>> >
>> > I am able to see UDP, ICMP packets getting detected but not TCP. I read
>> > snort README and tried various options like require_3whs, detect
>> > anomalies etc in stream5 preprocessor with tcp_track set to yes but no
>> > luck.
>> >
>> > One response I got was snort latest version doesn't detect stateless
>> > attacks and expect the end host TCP stack will take care. But my concern
>> > what if the stack is not capable to handle such attack? Do we have any
>> > way by which we can tweak snort and detect such stateless attacks?
>>
>> You would to rewrite the rules to not be state aware I guess. Like in
>> the old days...
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100407/82099a84/attachment.html>


More information about the Snort-users mailing list