Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Snort-inline

Snort-inline

From: Federico Petronio <fpetronio_at_petrus.agro.uba.ar>
Date: Tue, 13 Jan 2004 19:13:01 -0300

I have snort-inline 2.0.1 installed. I change the rule 2077 acction to drop.

Then I try to access, using Mozilla 1.5 and IE6.0, the URL:
http://server_name/admin/fileman/upload.php?dir=

the snort-inline log start showing lines like this:

[**] [1:2077:2] WEB-PHP Mambo upload.php access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
01/13-18:31:06.944124 200.43.81.205:1586 -> 10.2.0.10:80 TCP TTL:117
TOS:0x0 ID:3095 IpLen:20 DgmLen:578 DF
***AP*** Seq: 0x45A19C2C Ack: 0x425899A4 Win: 0xFFFF TcpLen: 20
[Xref => http://www.securityfocus.com/bid/6572]

but after 5 minutes of that, the webserver finally got the query and
answed. That means that snort-inline let pass through the packet that
should drop. Can anyone check that? I try several time and got the same
result. 

-- 
                                         Federico Petronio
                                         fpetronio_at_petrus.agro.uba.ar
                                         Linux User #129974
---
There are only 10 types of people in the world:
               Those who understand binary and those who don't.
Received on Jan 13 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos