[Snort-devel] Checksums

Christopher Cramer cec at ...56...
Wed Oct 25 15:03:42 EDT 2000


I've been thinking about insertion attacks recently, and it seems to me
that a lot of snort is, or through defrag and tcp_stream will be, subject
to a variety of insertion attacks.  Many of these are do to a lack of 
checksum testing in the decode engine.  

For the tcp stream reassembly code, I was about to add in some checksum
tests (both the IP and the TCP checksum tests) before I incorporated the
packet data in the tcp stream.  It occured to me that it might be better
if we handled checksums in the decode engine.

While I don't think we should necessarily drop packets with bad checksums,
I think a set of flags that say which checksums suceeded and which
failed would be a helpful addition.  This does mean the Dragos's defrag
and my tcp_stream preprocessors should probably compute the correct
checksum before sending our faked packets, but that's not too hard.  

If this sounds reasonable, I can go ahead and begin the implementation.


Dr. Christopher E. Cramer
Assistant Research Professor
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...56...

More information about the Snort-devel mailing list