IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Problems with Snort-1.9.1

From: "Toby Miller" <toby_miller () adelphia net>
Date: Thu, 27 Mar 2003 21:23:57 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Problem: Snort-1.9.1 using a default snort.conf configuration does
not detect certain crafted packets.

Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN
echo bits set. The following is an example of a packet:

12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok]
1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40)
0x0000       4500 0028 13ec 0000 6806 28db 0a01 0106
E..(....h.(.....
0x0010       0a01 0102 474a 5420 4640 0759 0bec 8b73
....GJT.F@.Y...s
0x0020       5043 0200 1735 0000                      PC...5..


Testing: In order to set this I used hping2 and the following
switches:

hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address'

When performing this test I found that Snort would detect a SYN,FIN
packet provided that the ECN echo packet was not set in the same
packet.

Problem: With the detect_scan option set in the stream4 preprocessor
Snort would not detect these packets.

Impact: Snort will not catch certain scans or attacks using these
TCP/IP flags.

Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use
Snort-1.9.1 to detect these packets, one would have to enable the
portscan preprocessor or delete the detect_scans option in the stream
4 preprocessor.

I would like to thank Chris Green of Snort for responding quickly to
this problem.

                                                                        Thanks,
                                                                        Toby

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPoOyN1LhpjRJgUE5EQLpnwCfeFHKjr+mnaJimDIbUhsubZVhC8kAn3yS
vtkxLftXgxGeGHfJk0/sVoTl
=KLHU
-----END PGP SIGNATURE-----




-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
Previous By Date Next
Previous By Thread Next

Current thread: