Snort mailing list archives
Re: fragroute related fixes need testing on real networks
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 22 Apr 2002 22:51:01 -0400
Hey Chris, Since I sit ~10 feet from you these days it'd probably be more efficient for me to just wait to talk about this until work tomorrow, but since I'm home and I actually have this in front of me, I guess I'll share with the group. [snip]
4. older IP fragment duplicates (snort's IP fragment reassembly seems to always favor newer data, even for properly sequenced received data): ip_frag 8 ip_chaff dup order randomAlert on frags with option data and suck them all away. Philosophical question: Should we ignore frags we didn't see the first fragment of?
Do you mean first frag first or frags that we never get the first one for? They can come in out of order, so you should collect them until you hit a flush condition, timeout, completion or flush due to memory faults induced by memcap. If we don't see the first frag the transport layer header will be assembled incorrectly, so we should either flush them altogether (i.e. Drop them) or log them to the logging facility as a bad packet. My opinion. :)
6. either TCP or IP chaffing with short TTLs (that expire before reaching the end host, but pass by the monitor): ip_frag 8 ip_ttl 11 ip_chaff 10 order random tcp_seg 1 ip_ttl 11 tcp_chaff 10 order randomTCP stream stuff already had the min_ttl option to detect this attack so that it will throw away anything underneath that. I added this option to frag2 Also, there is a ttl_limit option to both. Basically, this will alert on anything that is different by more than a certain limit
I'd probably call this "ttl_delta" or something, but that's just me. Thanks for your hard work on this one Chris! -Marty -- Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- fragroute related fixes need testing on real networks Chris Green (Apr 22)
- Re: fragroute related fixes need testing on real networks Martin Roesch (Apr 22)
- Re: [Snort-devel] fragroute related fixes need testing on real networks Chris Green (Apr 22)
- Re: [Snort-devel] fragroute related fixes need testing on real networks Chris Green (Apr 23)