Dailydave mailing list archives
Re: The Hydrogen hundred dollar challenge
From: "Neil" <ndesai01 () tampabay rr com>
Date: Tue, 12 Apr 2005 20:47:39 -0400
I don't think that is possible to find Hydrogen with snort. 1. Since the packets that we need to trigger off of are less than or equal to 4 bytes snort does not look at them. See you email thread with Marty for more info: http://archives.neohapsis.com/archives/sf/ids/2005-q1/0074.html. Even though this is not MSRPC fragmentation I think that the guidelines still apply. 2. Since Hydrogen does not use a static port we can't add it to the stream4 preprocessor without a severe impact to performance in a production environment. Currently only the most use ports ("default" will turn on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 and 513) are handled by stream4. If you used a static port then you could add it to stream4 and have your way with it. Just for kicks why don't you use a random size in the initital packets and have the valuable info somewhere in there. It would make just a bit harder to detect. Neil ----- Original Message ----- From: "Dave Aitel" <dave () immunitysec com> To: "Brian" <bmc () snort org> Cc: "dailydave" <dailydave () lists immunitysec com> Sent: Tuesday, April 12, 2005 12:01 PM Subject: Re: [Dailydave] The Hydrogen hundred dollar challenge
Brian wrote:On Mon, Apr 11, 2005 at 11:49:15PM -0400, Dave Aitel wrote:Anyways, I will give $100 dollars to the first person who posts a snort or nfr signature that can detect my private (slightly modded) version of Hydrogen. (i.e. make it reasonably generic, and let's not have it false-positive every time I browse the web). The idea here is to show that everything doesn't have to be spoon-fed to you Gerber-style.Does my 30 second grep of your code get me a beer? On a valid tcp session: if (first packet from client 4 bytes in length, store that as A) and if (next packet from client, A bytes in length) and if (first packet form server, 4 bytes in length, store that as B) and if (next packet from server, B bytes in length) Say "Hi dave!" BrianIf you can cut that into a snort sig that I can test then I'd certainly pony up one 100 dollar beer :>. There might be a lot of protocols that do this sort of thing - like BO2K, H doesn't hvae a default port. Also, TCP isn't packet based...so I'd want to test to make sure Hydrogen really does send packets that big all at once. I usually assume a 512 MTU, since that's what I use when I'm hacking. :> -0dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Hydrogen hundred dollar challenge Dave Aitel (Apr 11)
- Re: The Hydrogen hundred dollar challenge Brian (Apr 12)
- Re: The Hydrogen hundred dollar challenge Dave Aitel (Apr 12)
- Re: The Hydrogen hundred dollar challenge Neil (Apr 12)
- Re: The Hydrogen hundred dollar challenge Jason (Apr 12)
- Re: The Hydrogen hundred dollar challenge Dave Aitel (Apr 12)
- Re: The Hydrogen hundred dollar challenge Brian (Apr 12)
- <Possible follow-ups>
- Re: The Hydrogen hundred dollar challenge Ron Gula (Apr 14)