Bugtraq mailing list archives
Re: Snort exploits
From: Vern Paxson <vern () icir org>
Date: Wed, 17 Apr 2002 18:49:41 -0700
First of all I would like to commend Dug on his responsible disclosure stance. He has given the IDS vendors several months heads up that this stuff is in the pipe...
(Months? My copy of fragrouter, which I got off the net, is more than two years old.)
The TCP evasions are fairly easily detectable as overlaps should not normally occur.
See the Bro paper - Bro has detected this possible evasion for many years now, and in fact we do see overlaps operationally, and unfortunately they're just about always innocuous (busted TCPs, not attacks), so alerting on them has a high false positive ratio.
Similarly the IP fragmentation detection just needs slightly more rigorous overlap detection and alerting, as these overlaps will not be occurring in normal situations.
Also discussed in the Bro paper - we do see these in practice, both innocuous and as evasion attempts.
For now as a workaround you can just alert on small fragments (resurrect minfrag... heh) which should be indicative of games being played.
(same - you see tiny fragments for innocuous reasons, sigh)
Basically all the chaffing at the IP and TCP level is detectable as those should not be normal conditions.
Per the above, this is unfortunately not true, if you're watching a large traffic stream. For small traffic streams (e.g., a hundred local hosts), yes, my experience has been that these don't normally occur. Vern
Current thread:
- Snort exploits 0xcafebabe (Apr 16)
- Re: Snort exploits Dragos Ruiu (Apr 17)
- Re: Snort exploits Chris Green (Apr 24)
- <Possible follow-ups>
- RE: Snort exploits Grimes, Roger (Apr 17)
- Re: Snort exploits Darren Reed (Apr 18)
- Re: Snort exploits Vern Paxson (Apr 18)
- Re: Snort exploits Martin Roesch (Apr 18)
- Re: Snort exploits der Mouse (Apr 18)
- Re: Snort exploits Martin Roesch (Apr 18)