Bugtraq mailing list archives
Re: Snort exploits
From: Dragos Ruiu <dr () kyx net>
Date: Wed, 17 Apr 2002 04:07:31 +0000
Heh, well... first... don't panic. :-) First of all I would like to commend Dug on his responsible disclosure stance. He has given the IDS vendors several months heads up that this stuff is in the pipe... I think everyone who needed to know knew this was coming down the pipe, so this is in _no_ way critical of him. I was actually expecting him to release fragroute on the CanSecWest conference CD, for his talk on it there and am preparing some appropriate counter measures for the variant of snort I was going to put on there. Been kinda swamped with conference preparations so please do not ask me for any of this in advance of the conference. Odds are now that this info has gone out snort cvs will have fixes for this in a matter of hours or days... The TCP evasions are fairly easily detectable as overlaps should not normally occur. I'm sure Marty or Andrew will be releasing some tweaks to stream4 shortly to address this. It is just a matter of slightly more rigorous alerting and an occasional little bit of extra noise. Similarly the IP fragmentation detection just needs slightly more rigorous overlap detection and alerting, as these overlaps will not be occurring in normal situations. For now as a workaround you can just alert on small fragments (resurrect minfrag... heh) which should be indicative of games being played. Note that some of these overlaps were successful in snort 1.8.x because the teardrop detection had a bug in it which was recently found and was only fixed again in snort 1.8.4. The moral of the story is that it pays to keep your copy of snort current. :-) Basically all the chaffing at the IP and TCP level is detectable as those should not be normal conditions. Look to snort cvs over the next few days for solutions to these issues... To Dug: As far as playing timing games in the future, well the solution for this and some other problems will be target based reassembly which varies reassembly timing and overlap behaviour based on destination to mimic host specifics. And though the current frag2 snort defragger features deterministic timeout behaviour the earlier defrag reassembler had non-deterministic timeout behaviours on purpose to specifically avoid timeout games and this kind of behaviour will likely be resurrected on future defraggers. I have had a defragger in the works for, oh, a long time... :) that fixes this and some other issues. Guess Marty, I, and the other snort developers have to get off our lazy asses (since snort development proceeds so slowly :-) and fix that now. Heh... I'm being sarcastic for those that didn't note. The same logic and procedures can be applied at the TCP level as well as at the IP fragmentation layer BTW. To everyone else: The game of evasion and coutermeasures is the snake eating its tail and you shouldn't be naive and assume that there aren't other evasions out there because there are _always_ other obfuscations and countermeasures, and then detectors for those. That's why you pay us snort developers the big bucks, and you should keep your ids builds current fairly often... to keep you safe from that. :-) But using fairly loaded terms like "blindside" is just excessively alarmist imho. cheers, --dr On Tue, 16 Apr 2002 20:07:12 -0700 0xcafebabe () hushmail com wrote:
I didn't see it posted to these lists, but yesterday Dug Song quietly released a tool on the focus-ids list which totally blindsides Snort - http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort file contains several fragroute scripts which blindside even the current Snort version in CVS, tested on RedHat 7.2. For example, the latest wu-ftpd exploits run through the one line "tcp_seg 1 new" don't trigger any Snort alerts at all. :( :( Fragroute is a very powerful new tool. Has anyone found other attacks against Snort with it, or tried it against any other IDS for that matter? -=+ 0xCafeBabe +=- Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
-- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
Current thread:
- Snort exploits 0xcafebabe (Apr 16)
- Re: Snort exploits Dragos Ruiu (Apr 17)
- Re: Snort exploits Chris Green (Apr 24)
- <Possible follow-ups>
- RE: Snort exploits Grimes, Roger (Apr 17)
- Re: Snort exploits Darren Reed (Apr 18)
- Re: Snort exploits Vern Paxson (Apr 18)
- Re: Snort exploits Martin Roesch (Apr 18)
- Re: Snort exploits der Mouse (Apr 18)
- Re: Snort exploits Martin Roesch (Apr 18)