|
|
|
|
Snort Forums Archive
Archive Home » Rules » How to log tcp packets exceeding a given size
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
How to log tcp packets exceeding a given size
Posted by snortdude76 on April 14, 2005 03:54:11
Hi, I'm trying to write a rule to detect the attack against the Goodtech Telnet Server. This program has a vulnerabilty in the administration web server, which runs on the default port 2380. If a very long string (10040 bytes) ended by two newline characters (\r\n\r\n) is sent to this server, a buffer overflow vulnerability occurs. The problem I'm having with Snort is that I'm not able to determine when the size of a packet exceeds a given value (10040 bytes in this case).I tried to set "dsize: >10039" in my rule but it doesn't work because tcp packets are fragmented according to the MTU value which is 1260 bytes in my case. So every packet received by snort will always be 1260 byte long and my rule will never be matched! Does anyone have any suggestions??? Thanks a lot. Bye
P.s. This is the rule I was thinking to use:
alert tcp any any -> any 2380 (msg:"GoodTech Buffer Overflow exploit Attack"; content: |0d 0a 0d 0a|; dsize: >10039 ;) |
|
|
|
|
|
