Re: sidestep

From: Brian (bmc_at_snort.org)
Date: 05/04/03

  • Next message: Judy Novak: "Re: sidestep"
    Date: Sun, 4 May 2003 13:08:10 -0400
    To: Jill Tovey <jill.tovey@bigbluedoor.com>
    
    

    On Tue, Apr 29, 2003 at 01:28:54PM +0100, Jill Tovey wrote:
    > [**] RPC portmap listing [**]
    > 04/29-12:57:58.607580 192.168.0.10:1471 -> 192.168.0.2:111
    > TCP TTL:128 TOS:0x0 ID:10424 IpLen:20 DgmLen:240 DF
    > ***AP*** Seq: 0x19B53290 Ack: 0xB60B1018 Win: 0x4470 TcpLen: 20
    > 80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............
    > 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 01 00 00 00 00 01 00 00 00 00 01 02 00 00 00 01 ................
    > 00 00 00 00 01 01 00 00 00 01 86 00 00 00 01 A0 ................
    > 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................
    > 00 00 01 02 00 00 00 01 00 00 00 00 01 00 00 00 ................
    > 00 01 00 00 00 00 01 04 00 00 00 01 00 00 00 00 ................
    > 01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 ................
    > 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 ................
    > 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................
    > 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 00 ................
    > 00 01 00 80 00 00 01 00 ........
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    > Anyway, as you can see the packet data is very different, but the first
    > 44 bytes are the same, this is probably why snort is detecting the
    > attack.
    > So would anyone like to attempt an explanation as to how this tries to
    > evade snort?

    You are looking at the decoded version of the packet. Right now, the
    rpc decoder inside of snort decodes on top of the original packet
    instead of writing the decoded version into a temporary buffer.

    -brian

    -------------------------------------------------------------------------------
    Can you respond to attacks based on attack type, severity, source IP,
    destination IP, number of times attacked, or the time of day an attack
    occurs? No?
    No wonder why you're swamped with false positives!
    Download a free 15-day trial of Border Guard and watch your false
    positives disappear.

    http://www.securityfocus.com/StillSecure-focus-ids2
    -------------------------------------------------------------------------------


  • Next message: Judy Novak: "Re: sidestep"