Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how can we alert on web visiting activity?

From: Jason Brvenik <jasonb () sourcefire com>
Date: Thu, 19 Nov 2009 17:29:57 -0500
On Thu, Nov 19, 2009 at 4:42 PM, Eoin Miller
<eoin.miller () trojanedbinaries com> wrote:

This has bit us in the rear as well. Adding the following lines to your
snort.conf file will also act the same as using the "-k" option. Here is
a section of our snort.conf related to this:

---snip---
#
# Dont drop stuff because of the checksum (snort -k)
#
config checksum_mode: none
---snip---

I am sure there is a great reason to allow packets to be ignored due to
bad checksums, but having this be default behavior can cause some issues
for users. I guess in theory the network devices/clients/servers should
be disregarding the packets due to the bad checksums?



Yes there is. Accepting packets for analysis that have bad checksums (
and thus will not be processed by the targets) presents evasion
opportunities for the attacker.

For the body of work surrounding it check out the first few links in
these google searches.

http://www.google.com/search?q=checksum+ips+evasion
http://www.google.com/search?q=checksum+ids+evasion

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: