[Snort-devel] IDS fingerprinting techniques & Snort's FlexResponse...

Burak DAYIOGLU dayioglu at ...287...
Fri Aug 24 01:50:42 EDT 2001

"Smith, Donald" wrote:
> Does a reset comming from 128 become a sig for snort?

I guess we have started to miss the point.

I'm an attacker going towards Donald's network. I start
a TCP session with some host on his net. I note that
the operating system of the host that I am playing with
is Win2000 (And thus the initial TTL of that host should
be 128). Assuming I am 10 hops away from my target, the
TTL's on the packets I receive from Donald's super secure
host is 118.

Then, I craft the attack and voila a RST comes in with
a TTL of 54. Guess what? An IDS...

So, the best way is not to send a RST with a random TTL
but to send with a TTL of the victim host if a packet
is going to be sent to the attacker.

If Donald implements such a feature in his IDS, I wouldn't
be able to find out that there is an IDS in his network
by looking at the TTL's. However, still, an intruder may
examine other fields of the RST packet to differentiate
its characteristics from the packets of the victim.

I hope the issue is clearer now.

thank you.
Phone: +90 312 2103379   Fax: +90 312 2103333

More information about the Snort-devel mailing list