Bugtraq mailing list archives

Re: Verified evasion in Snort

From: mwatchinski () sourcefire com
Date: 1 Feb 2006 21:22:01 -0000

This and other target base fragmentation evasions are the reason we re-wrote the fragmentation engine in Snort.

If you look at Judy Novak's Frag3 Development paper, Snort's latest fragmentation engine (frag3) supports target-based 
fragmentation policies for overlaps, ttl evasions, and timeouts. This can be configured on a per IP basis to allow 
exact emulation of how the end host handles fragmentation reassembly.

Here is a sample configuration that could be used for frag3. This configuration would handle the evasion outlined in 
the advisory.  This configuration is based on the 5 second timeout used in the PoC code provided.

        preprocessor frag3_engine: policy first \
        bind_to 10.2.1.0/24 \
        timeout 5 \
        detect_anomalies

From our testing, Windows XP actually has a 1 minute timeout for fragments. The actual configuration to handle this 
evasion would be the following:


        preprocessor frag3_engine: policy first \
        bind_to 10.2.1.0/24 \
        timeout 60 \
        detect_anomalies

For the VRT's detailed analysis of the PoC tool and the advisory please see:

http://www.snort.org/rules/docs/vrt/evasion_snort_v233.html


Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

Current thread:

Re: Verified evasion in Snort Thierry Zoller (Feb 01)
- <Possible follow-ups>
- Re: Verified evasion in Snort mwatchinski (Feb 01)
- Re: Re: Verified evasion in Snort anonpoet (Feb 02)
  - Re: Re: Verified evasion in Snort Dave Korn (Feb 03)