Re: AW: [Snort-inline-users] no tcp header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Did you try a side by side comparison of these rules in ids and ips
mode?  I just came up with some non-sense that would trigger the
WEB-IIS scripts rule.  It alerted just fine.  Tell me what I'm missing
here?

Regards,

Will

[**] WEB-IIS scripts access [**]
10/18-07:36:31.094500 10.1.11.234:2440 -> 10.1.10.250:80 TCP TTL:64
TOS:0x0 ID:10485 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x3E914225  Ack: 0xB8DE2194  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 33975060 0
47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
69 6E 65 2E 64 6C 6C 3F 20 48 54 54 50 2F 31 2E  ine.dll? HTTP/1.
30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57  0..User-Agent: W
67 65 74 2F 31 2E 38 2E 32 0D 0A 48 6F 73 74 3A  get/1.8.2..Host:
20 63 65 6E 74 72 61 6C 2E 6B 63 2E 6C 61 6E 0D   central.kc.lan.
0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F  .Accept: */*..Co
6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41  nnection: Keep-A
6C 69 76 65 0D 0A 0D 0A                          live....

On Mon, 18 Oct 2004 08:27:06 +0200, Jochen Vogel <jv...@it...> wrote:
> the problem is that the payload exist but the tcp header is missing.
> see the IPS log example.
> 
> > I'll assume you meant the ethernet header, in which case no it is not
> > currently possible, because iptables removes this information.  You
> > are getting the tcp header information ;-)
> 
> > >
> > > im using snort_inline 2.1.3
> > > if i start IDS with -de i get the Ethernet Header, IP
> > Header and the TCP
> > > Header.
> > > if i start IPS with -Qde i get only the IP Header
> > >
> > > is it possible to log the TCP Header in IPS mode?
> > >
> > > thx jo
> > >
> > > ----------------------------------------------------------------
> > > IPS
> > >
> > > [**] WEB-MISC /etc/passwd [**]
> > > 10/15-09:41:46.075405 195.245.50.253:16365 ->
> > 195.245.50.252:80 TCP TTL:127
> > > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> > > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> > > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> > > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> > > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> > >
> > > -------------------------------------------------------------
> > > IDS
> > >
> > > [**] WEB-IIS scripts access [**]
> > > 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23
> > type:0x800 len:0x1D1
> > > 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63
> > TOS:0x0 ID:46206
> > > IpLen:20 DgmLen:451 DF
> > > ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
> > > TCP Options (3) => NOP NOP TS: 12410822 1352915474
> > > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
> > > 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
> > > 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
> > > 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
> > > 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
> > >
>