lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4020F5DC.6020101@activesec.biz>
Date: Wed, 04 Feb 2004 10:38:36 -0300
From: Federico Petronio <petrus@...ivesec.biz>
To: bugtraq@...urityfocus.com
Subject: Re: Snort-inline


Federico Petronio wrote:

> I have snort-inline 2.0.1 installed. I change the rule 2077 acction to 
> drop.
> 
> Then I try to access, using Mozilla 1.5 and IE6.0, the URL:
> http://server_name/admin/fileman/upload.php?dir=
> 
> the snort-inline log start showing lines like this:
> 
> [**] [1:2077:2] WEB-PHP Mambo upload.php access [**]
> [Classification: access to a potentially vulnerable web application] 
> [Priority: 2]
> 01/13-18:31:06.944124 200.43.81.205:1586 -> 10.2.0.10:80 TCP TTL:117 
> TOS:0x0 ID:3095 IpLen:20 DgmLen:578 DF
> ***AP*** Seq: 0x45A19C2C Ack: 0x425899A4 Win: 0xFFFF TcpLen: 20
> [Xref => http://www.securityfocus.com/bid/6572]
> 
> 
> but after 5 minutes of that, the webserver finally got the query and 
> answed. That means that snort-inline let pass through the packet that 
> should drop. Can anyone check that? I try several time and got the same 
> result.
> 

I reported this some time ago, and was not just about rule 2077 failing, 
but about all rules having the same problem. I search a little more and 
sent a couple of mails to the snort-inline list and finally found 
(thanks to Pieter Claassen) that the problem was that I set stream4 
preprocessor in the config file but that preprocessor is currently not 
supported by snort-inline.

When I commented the lines about stream4 the problem disappeared.

Regards,
-- 
                                         Federico Petronio
                                         petrus@...ivesec.biz



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ