Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: fragroute related fixes need testing on real networks

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 22 Apr 2002 22:51:01 -0400
Hey Chris,
    Since I sit ~10 feet from you these days it'd probably be more efficient
for me to just wait to talk about this until work tomorrow, but since I'm
home and I actually have this in front of me, I guess I'll share with the
group.

[snip]


4. older IP fragment duplicates (snort's IP fragment reassembly seems
   to always favor newer data, even for properly sequenced received
   data):

ip_frag 8
ip_chaff dup
order random



Alert on frags with option data and suck them all away.

Philosophical question:  Should we ignore frags we didn't see the
first fragment of?


Do you mean first frag first or frags that we never get the first one for?
They can come in out of order, so you should collect them until you hit a
flush condition, timeout, completion or flush due to memory faults induced
by memcap.  If we don't see the first frag the transport layer header will
be assembled incorrectly, so we should either flush them altogether (i.e.
Drop them) or log them to the logging facility as a bad packet.  My opinion.
:)


6. either TCP or IP chaffing with short TTLs (that expire before
   reaching the end host, but pass by the monitor):

ip_frag 8
ip_ttl 11
ip_chaff 10
order random

tcp_seg 1
ip_ttl 11
tcp_chaff 10
order random



TCP stream stuff already had the min_ttl option to detect this attack
so that it will throw away anything underneath that.

I added this option to frag2

Also, there is a ttl_limit option to both.  Basically, this will alert
on anything that is different by more than a certain limit


I'd probably call this "ttl_delta" or something, but that's just me.

Thanks for your hard work on this one Chris!

     -Marty

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: