Snort mailing list archives

Re: fragroute vs. snort: the tempest in a teacup

From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 19 Apr 2002 07:33:29 -0500 (CDT)

On Fri, 19 Apr 2002, Darren Reed wrote:

In some mail from Dug Song, sie said:

Most firewalls these days (especially Linux and OpenBSD ones)
actually do reassembly inbound.


this isn't quite true. most stateful inspection firewalls do "virtual
reassembly" for IP fragments, and a few do basic window tracking for
TCP connections, but will still allow most fragroute-style attacks
through (e.g. duplicate overwriting TCP segments with older TCP
timestamp options for PAWS elimination, short TTLs, etc.).


Well then IDS software needs to be smarter.  IMHO it makes little sense
for an IDS to be *behind* a firewall as it's going to miss out on lots
of useful data points.  Maybe this means telling your IDS software how
big your network is so it can make intelligent decisions about how far
a packet will go based on its TTL.


But, was not this what IDS' were originally designed for;  behind the
firewall placement to detect what the firewall policies might not be
catching?  And as thus a warning/alert being sounded for action?

I see the additional placement of looking inwards as having merit.  to
detect machines that are trojaned and or viri infected and trying to scan
other networks or phone home.

Being that the IDS' in present use are lke a abti-viri product and
requiring lots of special care and feeding, and thus very reactionary to
signatures and the known common attack vectors, I see they are only useful
at present as policy verifiers, behind the firewal as a last catchall.
Especially in light of comments by others about the 'scrubbing'
charateristics of some firewalls.


Thanks,


Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 17)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
  - Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
    - Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 19)
    - RE: fragroute vs. snort: the tempest in a teacup Enno Rey (Apr 19)
    - Re: fragroute vs. snort: the tempest in a teacup Marco Thorbruegge (Apr 19)
    - Re: fragroute vs. snort: the tempest in a teacup Crist J. Clark (Apr 20)
  - Re: fragroute vs. snort: the tempest in a teacup Francis Cianfrocca (Apr 18)
    - Re: Re: fragroute vs. snort: the tempest in a teacup Jason Haar (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Craig, Scott (Apr 25)
  - RE: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 25)