[Snort-devel] IDS fingerprinting techniques & Snort's FlexRe sponse...

Smith, Donald Donald.Smith at ...530...
Thu Aug 23 17:36:32 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So what you really need is the "correct" ttl that the host would have
responded with
if the host had responded right?
But depending on the target's os that will start with 255, 128 or 64
(maybe some other values but those are the common ones).
So fool them into thinking the whole network by using 128 instead of
64;-)
Does a reset comming from 128 become a sig for snort? Maybe but it is
also the sig for several other common os.
It's simple, easy and unless your attacker has already mapped your
network then he/she won't know it came from your ids.

To make things just a little more difficult put it in the configure
file to ask if they want 64, 128, 255 or some other number to be used
as the ttl in flexresp. That way if my internal network is 3 hops
away from my ids I could choose 125 as a starting ttl!
Further if different people used different numbers it would be less
of a signature.



 

Donald.Smith at ...530... IP Engineering Security
303-226-9939/0688 Office/Fax
720-320-1537 cell

> -----Original Message-----
> From: agetchel at ...358... [mailto:agetchel at ...358...]
> Sent: Thursday, August 23, 2001 3:12 PM
> To: dr at ...40...
> Cc: tlewis at ...255...; snort-devel at lists.sourceforge.net
> Subject: RE: [Snort-devel] IDS fingerprinting techniques & Snort's
> FlexRe sponse...
> 
> 
> 	LOL!  Ok, let me try and hit every box on the Internet 
> and see who's
> seventeen hops away from me... that should narrow it down. =) 
>  Seriously
> though, I know there's a big difference between knowing where 
> the IDS is
> placed and what software it's running, as I did address them 
> as separate
> issues in my original e-mail to the list.  The problem is, with
> Snort setting the TTL of flexresp packets too sixty-four every time
> it sends one
> out, it gives an intruder information about back about where 
> the IDS is
> located (remember, he's targeting one specific network and 
> probably has it
> mapped out pretty well) and what software it's running.  With
> flexresp packets always having a TTL of sixty-four, it becomes a 
> signature of Snort!
> 
> Thanks,
> Abe
> 
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020 ext. 225
> E-mail  agetchel at ...358...
> Web     http://www.kde.state.ky.us/
> 
> 
> > -----Original Message-----
> > From: Dragos Ruiu [mailto:dr at ...40...]
> > Sent: Thursday, August 23, 2001 9:13 AM
> > To: agetchel at ...358...
> > Cc: tlewis at ...255...; snort-devel at lists.sourceforge.net
> > Subject: Re: [Snort-devel] IDS fingerprinting techniques &
> > Snort's FlexRe sponse...
> > 
> > 
> > On Wed, 22 Aug 2001 23:06:15 -0400
> > agetchel at ...358... wrote:
> > > 	You don't think it's a big deal if an intruder knows 
> > where your IDS
> > > is placed and what software it's running?  Just because a 
> > technique hasn't
> > > been used to break into a network, doesn't mean it's 
> > theoretical.  I've
> > > _done_ this in a lab environment to make sure I wasn't 
> > talking out of my
> > > @$$. =)
> > 
> > There is a big difference between knowing where the IDS is 
> > and what OS/sw
> > it is running on and knowing the time-to-live of packets to it.
> > 
> > I'm probably TTL=17 away from you... find me...  :-)
> > 
> > cheers,
> > --dr
> > 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBO4V6TkPxB2evAO3MEQKxiACg7d+egrWDO6bVCZxTTE3QjoLiv/EAoN4q
bnNLYcPQn/zj2bFli7uau0N3
=ONoU
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list