Snort mailing list archives

Re: Re: Rules that fire on bad checksums?

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 8 Sep 2004 22:16:45 -0500

Ummmmm, you could replace your snort IDS which you know and love. Or
you could apply the patch attached below.  I was feeling nice and had
an extra 5 minutes so I whipped this up for 2.2.0 users out there. 
Victor Julien and I are working on adding this into snort_inline
anyhow.  This should apply cleanly to snort-2.2.0 and give you the
alerting you desire.

Regards,

Will

On Wed, 8 Sep 2004 22:12:48 -0400, Richard Bejtlich
<taosecurity () gmail com> wrote:

Glenn Forbes Fleming Larratt wrote:

tcpdump will make noise when an IP or embedded protocol checksum is bad.

I cannot find anything in the Snort manual that would alert on that
condition - is there any such thing, either in the rules or in a plugin?

--

You might consider looking at Vern Paxson's open source Bro IDS
(http://bro-ids.org/).  The Bro manual index shows several ways to
catch bad checksums in various headers. [0]  For example:

# checksum error, ICMP: Events handled by conn_weird
# checksum error, IP: Events handled by net_weird
# checksum error, TCP: Events handled by conn_weird
# checksum error, UDP: Events handled by conn_weird

Bro excels at detecting these sort of odd packet features.

I recently exchanged emails with a Bro developer who claims a lot of
work is being done to make Bro easier to deploy and manage.  I think
the new Web site and Wiki are evidence this is happening.  [1]

My book describes how to set up Bro using Chris Manders' BRA scripts.  [2]

Sincerely,

Richard
http://www.taosecurity.com

[0] http://bro-ids.org/Bro-reference-manual/Index.html
[1] http://www.icir.org/twiki/bin/view/Bro/WebHome
[2] http://www.baylinks.com/~cmanders/projects/bra.html and
http://www.taosecurity.com/books.html




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: 2.2.0-checksumalerts.diff
Description:

Current thread:

Rules that fire on bad checksums? Glenn Forbes Fleming Larratt (Sep 07)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)
  - Re: Rules that fire on bad checksums? Chris Green (Sep 08)
    - Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- <Possible follow-ups>
- Re: Rules that fire on bad checksums? Richard Bejtlich (Sep 08)
  - Re: Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)