IDS mailing list archives
RE: Active response... some thoughts.
From: "Abe L. Getchell" <abegetchell () qx net>
Date: Tue, 21 Jan 2003 14:02:50 -0500
Greetings all,
I came up with this patch for Snort (version 1.9.0) that will
generate a random TTL (not below 64) for both TCP resets and ICMP error
messages sent to clients by FlexResp when it sees a packet it has been
told to respond too. The TTL is randomized every time Snort is started
during the process of precaching the spoofed packets. The randomization
is done at this phase to minimize the amount of overhead put on the
sensor and so that wildly randomized TTL's in each TCP reset and ICMP
error message packet doesn't become a signature that you're using Snort
as an IDS. I submitted this to the snort-devel list, hopefully it will
be merged into the code-base. Use at your own risk... let me know if
you have any questions!
Thanks,
Abe
--
Abe L. Getchell
Security Engineer
abegetchell () qx net
Attachment:
flexresp_TTL_fix.diff
Description:
Current thread:
- Active response... some thoughts. Abe L. Getchell (Jan 20)
- RE: Active response... some thoughts. Abe L. Getchell (Jan 23)
- Re: Active response... some thoughts. Martin Roesch (Jan 26)
- <Possible follow-ups>
- RE: Active response... some thoughts. Abe L. Getchell (Jan 26)
- RE: Active response... some thoughts. Ralph Los (Jan 26)
- RE: Active response... some thoughts. Christopher Lyon (Jan 26)
- RE: Active response... some thoughts. Alan Shimel (Jan 26)
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. Garbrecht, Frederick (Jan 28)
- Message not available
- Re: Active response... some thoughts. Stone Cold (Jan 31)
- Message not available
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. mb_lima (Jan 28)