Re: Snort exploits

[Dragos Ruiu <dr () kyx net>]

Heh, well... first... don't panic. :-)

First of all I would like to commend Dug on his responsible disclosure stance.
He has given the IDS vendors several months heads up that this stuff is in the 
pipe...  I think everyone who needed to know knew this was coming down the pipe,
so this is in _no_ way critical of him.

I was actually expecting him to release fragroute on the CanSecWest conference CD,
for his talk on it there and am preparing some appropriate counter measures for the 
variant of snort I was going to put on there.  Been kinda swamped with conference 
preparations so please do not ask me for any of this in advance of the conference.
Odds are now that this info has gone out snort cvs will have fixes for this
in a matter of hours or days...

The TCP evasions are fairly easily detectable as overlaps should not normally occur.
I'm sure Marty or Andrew will be releasing some tweaks to stream4 shortly to 
address this. It is just a matter of slightly more rigorous alerting and
an occasional little bit of extra noise.

Similarly the IP fragmentation detection just needs slightly more rigorous
overlap detection and alerting, as these overlaps will not be occurring in 
normal situations.  For now as a workaround you can just alert on small fragments
(resurrect minfrag... heh) which should be indicative of games being played.
Note that some of these overlaps were successful in snort 1.8.x because the
teardrop detection had a bug in it which was recently found and was only fixed 
again in snort 1.8.4.  The moral of the story is that it pays to keep your copy
of snort current. :-)

Basically all the chaffing at the IP and TCP level is detectable as those 
should not be normal conditions. Look to snort cvs over the next few days
for solutions to these issues...

To Dug:

As far as playing timing games in the future, well the solution for this and some
other problems will be target based reassembly which varies reassembly timing
and overlap behaviour based on destination to mimic host specifics.  And though
the current frag2 snort defragger features deterministic timeout behaviour
the earlier defrag reassembler had non-deterministic timeout behaviours on purpose
to specifically avoid timeout games and this kind of behaviour will likely be 
resurrected on future defraggers. I have had a defragger in the works for, oh, 
a long time... :)  that fixes this and some other issues. Guess Marty, I, and 
the other snort developers have to get off our lazy asses (since snort development 
proceeds so slowly :-) and fix that now.  Heh... I'm being sarcastic for those 
that didn't note.

The same logic and procedures can be applied at the TCP level as well as
at the IP fragmentation layer BTW.

To everyone else:

The game of evasion and coutermeasures is the snake eating its tail and you 
shouldn't be naive and assume that there aren't other evasions out there because 
there are _always_ other obfuscations and countermeasures, and then detectors for 
those. That's why you pay us snort developers the big bucks, and you should keep
your ids builds current fairly often... to keep you safe from that. :-)

But using fairly loaded terms like "blindside" is just excessively alarmist imho.

cheers,
--dr


On Tue, 16 Apr 2002 20:07:12 -0700
0xcafebabe () hushmail com wrote:

> I didn't see it posted to these lists, but yesterday Dug Song quietly released a tool on the focus-ids list which 
> totally blindsides Snort - http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort file contains 
> several fragroute scripts which blindside even the current Snort version in CVS, tested on RedHat 7.2. For example, 
> the latest wu-ftpd exploits run through the one line "tcp_seg 1 new" don't trigger any Snort alerts at all.
> :( :(
>
> Fragroute is a very powerful new tool. Has anyone found other attacks against Snort with it, or tried it against any 
> other IDS for that matter?
>
>
> -=+ 0xCafeBabe +=-
>
>
>
>
> Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
> HushMail Secure Email http://www.hushmail.com/
> HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
> Hush Business - security for your Business http://www.hush.com/
> Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople


-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com