![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: sidestep
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 11:50:44 -0400
From what I read, sidestep does a fragmentation style attack, but rather than using the IP or TCP layers (which is what fragrouter and the like do), it uses features of particular application protocols to do it.
http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-ids/2001-07/0100.htmlSo basically in this example it's making a bunch of redundant commands to RPC, and at the application layer, apparently RPC will re-assemble it.
Another discussion can be found here: http://www.sans.org/resources/idfaq/rpc_evas.phpI think that sidestep, and similar attacks, is one reason why snort has a rpc_decode preprocessor.
At 01:35 PM 4/29/2003 +0100, Jill Tovey wrote:
Anyway, as you can see the packet data is very different, but the first 44 bytes are the same, this is probably why snort is detecting the attack. So would anyone like to attempt an explanation as to how this tries to evade snort? Any comments much appreciated,
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sidestep Jill Tovey (Apr 29)
- Re: sidestep Matt Kettler (Apr 29)