Hosting Provided By

Problems with Snort-1.9.1

From: Toby Miller <toby_miller(at)adelphia.net>
Date: Thu Mar 27 2003 - 21:23:57 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Problem: Snort-1.9.1 using a default snort.conf configuration does not detect certain crafted packets.

Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN echo bits set. The following is an example of a packet:

12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok] 1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40) 0x0000 4500 0028 13ec 0000 6806 28db 0a01 0106 E..(....h.(.....
0x0010 0a01 0102 474a 5420 4640 0759 0bec 8b73 ....GJT.F@.Y...s

0x0020       5043 0200 1735 0000                      PC...5..

Testing: In order to set this I used hping2 and the following switches:

hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address'

When performing this test I found that Snort would detect a SYN,FIN packet provided that the ECN echo packet was not set in the same packet.

Problem: With the detect_scan option set in the stream4 preprocessor Snort would not detect these packets.

Do you need help?

Impact: Snort will not catch certain scans or attacks using these TCP/IP flags.

Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use Snort-1.9.1 to detect these packets, one would have to enable the portscan preprocessor or delete the detect_scans option in the stream 4 preprocessor.

I would like to thank Chris Green of Snort for responding quickly to this problem.

									Thanks,
									Toby

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPoOyN1LhpjRJgUE5EQLpnwCfeFHKjr+mnaJimDIbUhsubZVhC8kAn3yS vtkxLftXgxGeGHfJk0/sVoTl
=KLHU
-----END PGP SIGNATURE-----

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71 Received on Fri Mar 28 12:07:23 2003

This message: [ Message body ]
Next message: Patrick S. Harper: "Re: Working with/Setting up IDS (Papers)"
Previous message: Lance Spitzner: "Re: Anamoly based network IDS"
In reply to Adriano Ribeiro: "Re: which IDS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT