Re: The Hydrogen hundred dollar challenge

["Neil" <ndesai01 () tampabay rr com>]

I don't think that is possible to find Hydrogen with snort.

1. Since the packets that we need to trigger off of are less than or equal
to 4 bytes snort does not look at them. See you email thread with Marty for
more info:
http://archives.neohapsis.com/archives/sf/ids/2005-q1/0074.html. Even though
this is not MSRPC fragmentation I think that the guidelines still apply.

2. Since Hydrogen does not use a static port we can't add it to the stream4
preprocessor without a severe impact to performance in a production
environment. Currently only the most use ports ("default" will turn
on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 and 513) are
handled by stream4. If you used a static port then you could add it to
stream4 and have your way with it.

Just for kicks why don't you use a random size in the initital packets and
have the valuable info somewhere in there. It would make just a bit harder
to detect.


Neil

----- Original Message ----- 
From: "Dave Aitel" <dave () immunitysec com>
To: "Brian" <bmc () snort org>
Cc: "dailydave" <dailydave () lists immunitysec com>
Sent: Tuesday, April 12, 2005 12:01 PM
Subject: Re: [Dailydave] The Hydrogen hundred dollar challenge


> Brian wrote:
>
> > On Mon, Apr 11, 2005 at 11:49:15PM -0400, Dave Aitel wrote:
> >
> >
> > >  Anyways, I will give $100 dollars to the first person
> > > who posts a snort or nfr  signature that can detect my private
> > > (slightly modded) version of Hydrogen. (i.e. make it reasonably
> > > generic, and let's not have it false-positive every time I browse
> > > the web). The idea here is to show that everything doesn't have to
> > > be spoon-fed to you Gerber-style.
> >
> > Does my 30 second grep of your code get me a beer?
> >
> > On a valid tcp session:
> >
> > if (first packet from client 4 bytes in length, store that as A)
> > and if (next packet from client, A bytes in length)
> > and if (first packet form server, 4 bytes in length, store that as B)
> > and if (next packet from server, B bytes in length)
> >
> >    Say "Hi dave!"
> >
> > Brian
> If you can cut that into a snort sig that I can test then I'd certainly
> pony up one 100 dollar beer :>. There might be a lot of protocols that
> do this sort of thing - like BO2K, H doesn't hvae a default port. Also,
> TCP isn't packet based...so I'd want to test to make sure Hydrogen
> really does send packets that big all at once. I usually assume a 512
> MTU, since that's what I use when I'm hacking. :>
>
> -0dave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave