Hosting Provided By

RE: Active response... some thoughts.

From: Abe L. Getchell <abegetchell(at)qx.net>
Date: Tue Jan 21 2003 - 14:02:50 EST

Greetings all,

I came up with this patch for Snort (version 1.9.0) that will generate a random TTL (not below 64) for both TCP resets and ICMP error messages sent to clients by FlexResp when it sees a packet it has been told to respond too. The TTL is randomized every time Snort is started during the process of precaching the spoofed packets. The randomization is done at this phase to minimize the amount of overhead put on the sensor and so that wildly randomized TTL's in each TCP reset and ICMP error message packet doesn't become a signature that you're using Snort as an IDS. I submitted this to the snort-devel list, hopefully it will be merged into the code-base. Use at your own risk... let me know if you have any questions!

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell@qx.net

application/octet-stream attachment: flexresp_TTL_fix.diff

Received on Thu Jan 23 12:17:57 2003

This message: [ Message body ]
Next message: Disco Godfather: "RE: [IDS] IDS Common Criteria"
Previous message: Fengmin Gong: "RE: Intrusion Risk Assessment"
In reply to: Abe L. Getchell: "Active response... some thoughts."
Next in thread: Ron Gula: "Re: Active response... some thoughts."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:05 EDT