IDS mailing list archives
Re: sidestep
From: Brian <bmc () snort org>
Date: Sun, 4 May 2003 13:08:10 -0400
On Tue, Apr 29, 2003 at 01:28:54PM +0100, Jill Tovey wrote:
[**] RPC portmap listing [**] 04/29-12:57:58.607580 192.168.0.10:1471 -> 192.168.0.2:111 TCP TTL:128 TOS:0x0 ID:10424 IpLen:20 DgmLen:240 DF ***AP*** Seq: 0x19B53290 Ack: 0xB60B1018 Win: 0x4470 TcpLen: 20 80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............ 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 01 00 00 00 00 01 02 00 00 00 01 ................ 00 00 00 00 01 01 00 00 00 01 86 00 00 00 01 A0 ................ 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................ 00 00 01 02 00 00 00 01 00 00 00 00 01 00 00 00 ................ 00 01 00 00 00 00 01 04 00 00 00 01 00 00 00 00 ................ 01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 ................ 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 ................ 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................ 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 00 ................ 00 01 00 80 00 00 01 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Anyway, as you can see the packet data is very different, but the first 44 bytes are the same, this is probably why snort is detecting the attack. So would anyone like to attempt an explanation as to how this tries to evade snort?
You are looking at the decoded version of the packet. Right now, the rpc decoder inside of snort decodes on top of the original packet instead of writing the decoded version into a temporary buffer. -brian ------------------------------------------------------------------------------- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Brian (May 06)
- <Possible follow-ups>
- Re: sidestep Randy Taylor (May 04)
- Re: sidestep Jill Tovey (May 04)
- Re: sidestep Randy Taylor (May 06)
- Re: sidestep Jill Tovey (May 04)
- RE: sidestep Golomb, Gary (May 04)
- RE: sidestep Jill Tovey (May 04)
- Re: sidestep Judy Novak (May 06)
- Re: sidestep Jill Tovey (May 06)
- Re: sidestep Martin Roesch (May 06)
- RE: sidestep Jill Tovey (May 04)