[Snort-devel] IDS fingerprinting techniques & Snort's FlexRe sponse...

agetchel at ...358... agetchel at ...358...
Thu Aug 23 17:12:21 EDT 2001


	LOL!  Ok, let me try and hit every box on the Internet and see who's
seventeen hops away from me... that should narrow it down. =)  Seriously
though, I know there's a big difference between knowing where the IDS is
placed and what software it's running, as I did address them as separate
issues in my original e-mail to the list.  The problem is, with Snort
setting the TTL of flexresp packets too sixty-four every time it sends one
out, it gives an intruder information about back about where the IDS is
located (remember, he's targeting one specific network and probably has it
mapped out pretty well) and what software it's running.  With flexresp
packets always having a TTL of sixty-four, it becomes a signature of Snort!

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020 ext. 225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/


> -----Original Message-----
> From: Dragos Ruiu [mailto:dr at ...40...]
> Sent: Thursday, August 23, 2001 9:13 AM
> To: agetchel at ...358...
> Cc: tlewis at ...255...; snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] IDS fingerprinting techniques & Snort's
> FlexRe sponse...
> 
> 
> On Wed, 22 Aug 2001 23:06:15 -0400
> agetchel at ...358... wrote:
> > 	You don't think it's a big deal if an intruder knows 
> where your IDS
> > is placed and what software it's running?  Just because a 
> technique hasn't
> > been used to break into a network, doesn't mean it's 
> theoretical.  I've
> > _done_ this in a lab environment to make sure I wasn't 
> talking out of my
> > @$$. =)
> 
> There is a big difference between knowing where the IDS is 
> and what OS/sw
> it is running on and knowing the time-to-live of packets to it.
> 
> I'm probably TTL=17 away from you... find me...  :-)
> 
> cheers,
> --dr
> 




More information about the Snort-devel mailing list