Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tcp session hijacking

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Tue, 19 Aug 2014 15:07:37 +0000

________________________________
From: Meysam Farazmand [farazmand.meisam () gmail com]
Sent: Tuesday, August 19, 2014 10:37 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Tcp session hijacking


Hi Russ,

yeah i have all of this. I have 2 rules in my preprocessor.rules file for session hijacking detection.


* OK, time for a pcap and conf if you can send the minimal repro foo.


Thanks

Russ


On Aug 19, 2014 5:30 PM, "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:
Do you have stream5_tcp: detect_anomalies set?  Do you have config autogenerate_preprocessor_decoder_rules or the stubs 
for 129:9 and 129:10 included?

________________________________
From: Meysam Farazmand [farazmand.meisam () gmail com<mailto:farazmand.meisam () gmail com>]
Sent: Tuesday, August 19, 2014 8:40 AM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Tcp session hijacking


Hi,

NP. Yes, i know.my problem is that although "ettercap" changes mac address of  victim during communication and i see 
this changes with wireshark, but snort does not generate any alert on this. Did you test this capability of snort?

On Aug 19, 2014 5:03 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Sorry about that.

129:9 and 129:10 are the preprocessor alerts.

--
Joel Esler
Sent from my iPhone

On Aug 19, 2014, at 8:02, "Meysam Farazmand" <farazmand.meisam () gmail com<mailto:farazmand.meisam () gmail com>> 
wrote:


Hi Joel,

But according to snort user manual, stream5 check_session_hijacking option is based on mac address checking on both 
side of a communication.

More exactly:
" Check for TCP session hijacking. This check validates the hardware (MAC) address from both sides of the connect - as 
established on the 3-way handshake against subsequent packets received on the session. If an ethernet layer is not part 
of the protocol stack received by Snort, there are no checks performed. Alerts are generated (per 'detect_anomalies' 
option) for either the client or server when the MAC address for one side or the other does not match. The default is 
set to off."

On Aug 19, 2014 4:24 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Stream5 does not do mac address tracking.


On Aug 19, 2014, at 4:16 AM, Meysam Farazmand <farazmand.meisam () gmail com<mailto:farazmand.meisam () gmail com>> 
wrote:


Hi Waldo,

Thank you for reply.yes you're right. I am doing a project with snort and my project manager wants me to test snort 
session hijacking detection capability. If we assume that attacker does not use spoofed MAC address, similarity between 
session hijacking and mitm is that in both, MAC address of on side changes. So snort should detect this MAC address 
changing with stream5. Is it correct?

On Aug 17, 2014 9:27 PM, "waldo kitty" <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:
On 8/17/2014 5:37 AM, Meysam Farazmand wrote:

Hi all,

I used "check_session_hijacking" in stream5 preprocessor for session hijacking
attacks detection and launched a mitm attack. But snort did not detect it.


session hijacking and mitm are not the same...

session hijacking is where you take over or continue with someone's existing or
previous session...

mitm is where you are in the middle and have valid sessions with both parties
and pass their traffic across while doing what you want with it in the middle...


--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: