Snort mailing list archives
sidestep
From: Jill Tovey <jill.tovey () bigbluedoor com>
Date: 29 Apr 2003 13:35:33 +0100
Hi, Apologies to anyone on the focus-ids list who will receive this twice. I am testing snort using a tool called sidestep, but can find little to know explanation as how it works when trying to evade the IDS. In the hope that some people here are fluent in hex I am posting what is happening when I use the sidestep tool for an RPC request to my snort box. Below is the results in my log file from snort when using the RPC request in normal mode... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ TCP TTL:128 TOS:0x0 ID:8585 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0xBE7826F7 Ack: 0x34F8656C Win: 0x4470 TcpLen: 20 80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............ 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Next I try sidestep using -evade mode. This gets detected by snort and leaves the following in my log file: [**] RPC portmap listing [**] 04/29-12:57:58.607580 192.168.0.10:1471 -> 192.168.0.2:111 TCP TTL:128 TOS:0x0 ID:10424 IpLen:20 DgmLen:240 DF ***AP*** Seq: 0x19B53290 Ack: 0xB60B1018 Win: 0x4470 TcpLen: 20 80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............ 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 01 00 00 00 00 01 02 00 00 00 01 ................ 00 00 00 00 01 01 00 00 00 01 86 00 00 00 01 A0 ................ 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................ 00 00 01 02 00 00 00 01 00 00 00 00 01 00 00 00 ................ 00 01 00 00 00 00 01 04 00 00 00 01 00 00 00 00 ................ 01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 ................ 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 ................ 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................ 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 00 ................ 00 01 00 80 00 00 01 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Anyway, as you can see the packet data is very different, but the first 44 bytes are the same, this is probably why snort is detecting the attack. So would anyone like to attempt an explanation as to how this tries to evade snort? Any comments much appreciated, Cheers ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sidestep Jill Tovey (Apr 29)
- Re: sidestep Matt Kettler (Apr 29)