IDS mailing list archives
RE: Active response... some thoughts.
From: "Abe L. Getchell" <abegetchell () qx net>
Date: Tue, 21 Jan 2003 14:02:50 -0500
Greetings all, I came up with this patch for Snort (version 1.9.0) that will generate a random TTL (not below 64) for both TCP resets and ICMP error messages sent to clients by FlexResp when it sees a packet it has been told to respond too. The TTL is randomized every time Snort is started during the process of precaching the spoofed packets. The randomization is done at this phase to minimize the amount of overhead put on the sensor and so that wildly randomized TTL's in each TCP reset and ICMP error message packet doesn't become a signature that you're using Snort as an IDS. I submitted this to the snort-devel list, hopefully it will be merged into the code-base. Use at your own risk... let me know if you have any questions! Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () qx net
Attachment:
flexresp_TTL_fix.diff
Description:
Current thread:
- Active response... some thoughts. Abe L. Getchell (Jan 20)
- RE: Active response... some thoughts. Abe L. Getchell (Jan 23)
- Re: Active response... some thoughts. Martin Roesch (Jan 26)
- <Possible follow-ups>
- RE: Active response... some thoughts. Abe L. Getchell (Jan 26)
- RE: Active response... some thoughts. Ralph Los (Jan 26)
- RE: Active response... some thoughts. Christopher Lyon (Jan 26)
- RE: Active response... some thoughts. Alan Shimel (Jan 26)
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. Garbrecht, Frederick (Jan 28)
- Message not available
- Re: Active response... some thoughts. Stone Cold (Jan 31)
- Message not available
- RE: Active response... some thoughts. Kohlenberg, Toby (Jan 28)
- RE: Active response... some thoughts. mb_lima (Jan 28)