Snort mailing list archives
Re: Snort Evasion?
From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 17 Mar 2002 20:08:51 -0500
Hi Rob, You're almost right. When the sequence number rolls over *and* the starting (base) sequence = 0 for *this flush* stream4 will ignore it because it doesn't have PAWS built in (well, it probably will by the end of tonight). From the code: if(s->last_ack == 0 || s->base_seq == 0 || (s->last_ack < s->base_seq) || (s->last_ack - s->base_seq > 65535)) { /* yeah, I know this is lame, we'll fix it */ DeleteSpd(s->dataPtr, gotevent); return; } See, I even say it's lame in the comments. :) To really resolve this requires us to do a lot more TCP options processing in stream4, which we are now working on. It should be noted that this only works for the current segment set, once the flush happens it'll pick back up on the stream data. You can evade it, but only until the flush point is hit. I suppose a simple hack of a fix (without implementing full PAWS) is to flush when the rollover is detected automatically and keep the pre-rollover segment and reflush that one when the next flush point it hit. This would be similar to the behavior that was implemented for segments that aren't fully ACK'd when they get flushed... -Marty On 3/17/02 5:28 PM, "IDS Expect" <robertgoldman2000 () yahoo com> wrote:
Hi, I have been examining the snort 1.8.4 source code and I think I found a very simple way to evade Snort if and when stream4 is in use. It seems like in spp_stream4.c, FlushStream() will ignore all packets if base_seq is zero. Well, base_seq is set to the sequence number of the first data byte. What if the attacker initializes her TCP connection's sequence number to 0xffffffff. This well make base_seq zero and Snort will further ignore any data on this connection. Am I right? --rob __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Evasion? IDS Expect (Mar 17)
- Re: Snort Evasion? Martin Roesch (Mar 17)