Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sidestep

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 11:50:44 -0400
From what I read, sidestep does a fragmentation style attack, but rather than using the IP or TCP layers (which is what fragrouter and the like do), it uses features of particular application protocols to do it. 

http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-ids/2001-07/0100.html
So basically in this example it's making a bunch of redundant commands to RPC, and at the application layer, apparently RPC will re-assemble it. 

Another discussion can be found here:
http://www.sans.org/resources/idfaq/rpc_evas.php
I think that sidestep, and similar attacks, is one reason why snort has a rpc_decode preprocessor. 

At 01:35 PM 4/29/2003 +0100, Jill Tovey wrote:

Anyway, as you can see the packet data is very different, but the first
44 bytes are the same, this is probably why snort is detecting the
attack.
So would anyone like to attempt an explanation as to how this tries to
evade snort?

Any comments much appreciated,




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: