Snort mailing list archives
Re: SeolMa
From: Dragos Ruiu <dr () kyx net>
Date: Sat, 18 Aug 2001 15:44:43 -0700
On Wed, 31 Dec 1969, auto241065 () hushmail com wrote:
What are your thoughts on the IDS evasion method presented in the latest
issue of phrack? Do frag2 and stream4 make the traffic appear to snort the same way it would arrive at the host, defeating this evasion attempt? My testing with this method is limited due to the fact that it seems there were errors in the example code meant to drive me crazy. I would think that this evasion should have little to do with either stream{n} or {de}frag{n}, as this sort of urgent flag data insertion is rarely used in the real world. I have heard reports that MS Citrix terminal server traffic makes use of Urgent flags, so this evasion should be more of a pain in the ass for those kinds of environments as they'll have to go to greater lengths to prefilter their Citrix traffic from this kind of detection, but given that urgent flags are very infrquent on the network they should stick out like, hehe, stealth nmap scans, or xmas scans, using stick, or any of the other "leet" (not :-) obfuscations that stick out (oooh bad pun:-) like a sore thumb and typically start big red flashing lights and alerts. A Urgent Insertion IDS Evasion signature might go like: alert any any -> $HOME_NET any (flags: U; msg: "Possible TCP Urgent Data Insertion Evasion - ref Phrack57";) Since I'm fortunately Citrix-free, I'm planning on seeing if anything else will false this rule. Does anybody with Citrix want to come up with a Citrix triggered rule that can be used as a pass rule before this, or used with a negated content keyword to improve this signature? cheers, --dr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SeolMa auto241065 (Aug 16)
- Re: SeolMa Dragos Ruiu (Aug 18)