Snort mailing list archives
Re: fragroute vs. snort: the tempest in a teacup
From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 19 Apr 2002 07:33:29 -0500 (CDT)
On Fri, 19 Apr 2002, Darren Reed wrote:
In some mail from Dug Song, sie said:Most firewalls these days (especially Linux and OpenBSD ones) actually do reassembly inbound.this isn't quite true. most stateful inspection firewalls do "virtual reassembly" for IP fragments, and a few do basic window tracking for TCP connections, but will still allow most fragroute-style attacks through (e.g. duplicate overwriting TCP segments with older TCP timestamp options for PAWS elimination, short TTLs, etc.).Well then IDS software needs to be smarter. IMHO it makes little sense for an IDS to be *behind* a firewall as it's going to miss out on lots of useful data points. Maybe this means telling your IDS software how big your network is so it can make intelligent decisions about how far a packet will go based on its TTL.
But, was not this what IDS' were originally designed for; behind the firewall placement to detect what the firewall policies might not be catching? And as thus a warning/alert being sounded for action? I see the additional placement of looking inwards as having merit. to detect machines that are trojaned and or viri infected and trying to scan other networks or phone home. Being that the IDS' in present use are lke a abti-viri product and requiring lots of special care and feeding, and thus very reactionary to signatures and the known common attack vectors, I see they are only useful at present as policy verifiers, behind the firewal as a last catchall. Especially in light of comments by others about the 'scrubbing' charateristics of some firewalls. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- fragroute vs. snort: the tempest in a teacup Dragos Ruiu (Apr 17)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Enno Rey (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Marco Thorbruegge (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Crist J. Clark (Apr 20)
- Re: fragroute vs. snort: the tempest in a teacup Francis Cianfrocca (Apr 18)
- Re: Re: fragroute vs. snort: the tempest in a teacup Jason Haar (Apr 18)
- Re: fragroute vs. snort: the tempest in a teacup Darren Reed (Apr 18)
- <Possible follow-ups>
- Re: fragroute vs. snort: the tempest in a teacup Brad Powell (Apr 19)
- Re: fragroute vs. snort: the tempest in a teacup Steven M. Bellovin (Apr 19)
- RE: fragroute vs. snort: the tempest in a teacup Craig, Scott (Apr 25)
- RE: fragroute vs. snort: the tempest in a teacup Ron DuFresne (Apr 25)
- Re: fragroute vs. snort: the tempest in a teacup Dug Song (Apr 18)