[Snort-devel] IDS fingerprinting techniques & Snort's FlexR esponse...

Smith, Donald Donald.Smith at ...530...
Fri Aug 24 10:07:34 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would be very interested in this plugin.
In the mean time just changing the 64 to 128 and the ttl offset
should provide most of
us with some level of "misdirection".
Now if somebody has fully mapped my network then sending ttl = 125 on
a reset might not fool them.

What fields besides ttl does you plugin deal with.
Here is an excerpt from an passive OS fingerprinting program by  
######################################################################
#########
			passive OS fingerprinting tool
                       version 1.7 <lcamtuf at ...631...>

 		    -= buffer0verfl0w security team =-
		       
                      http://lcamtuf.hack.pl/p0f.tgz

# p0f - passive OS fingerprinting
#
# Valid entry describes the way server starts TCP handshake (first
SYN).
# Important options are: window size (wss), maximum segment size
(mss),
# don't fragment flag (DF), window scaling (wscale), sackOK flag, nop
# flag, and initial time to live (TTL) ;)
#
# How can you determine initial ttl? Well, usually it's first power
of 2
# bigger than TTL returned in scan. So, for example, if you get TTL
55 in
# fingerprint returned by p0f, initial TTL will be usually 64...
NOTE:
# it's better to overestimate initial TTL than underestimate it ;)
#
# There are some brain-damaged devices, like network printers etc,
that
# have stupid initial TTLs like 60, but who cares, if HP LaserJet
wants to
# visit your server, you have to think again about your life ;)
#
# Format:
#
# wwww:ttt:mmm:D:W:S:N:OS Description
#
# wwww - window size
# ttt  - time to live
# mmm  - maximum segment size
# D    - don't fragment flag  (0=unset, 1=set) 
# W    - window scaling (-1=not present, other=value)
# S    - sackOK flag (0=unset, 1=set)
# N    - nop flag (0=unset, 1=set)
######################################################################
###################

So it looks like at least one tool is paying attention to more than
just the ttl.

In fact snort has a passive os finger printing plugin what fields
does it watch?


Donald.Smith at ...530... IP Engineering Security
303-226-9939/0688 Office/Fax
720-320-1537 cell

> -----Original Message-----
> From: Burak DAYIOGLU [mailto:dayioglu at ...287...]
> Sent: Friday, August 24, 2001 12:05 AM
> To: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] IDS fingerprinting techniques & Snort's
> FlexResponse...
> 
> 
> "Smith, Donald" wrote: 
> > It is a false alert in that it will not work against my 
> apache server but I
> > want to know when someone is trying an attack against any 
> network element.
> > Now if you recommended a filtering process (as part of the 
> database plugin
> > or something) that knew 10.1.1.1 was an apache server and 
> cr2.0.1.7.alpha
> > wasn't going to work that would be full acceptable. 
> 
> <line noise>
> 
> I have implemented a plugin to exactly do this. Although with 
> the current
> implementation such "unrelated" alerts are being suppressed, it is
> not difficult to de-prioritize the alert if the target is immune 
> to a particular
> attack.
> 
> The execution time overhead of the plug-ins were measured to 
> be 6% (including
> startup time cost) over a packet trace with 10,000,000 packets.
> 
> The environmental information that Abe refers (i.e. the os of 
> hosts) is
> collected and may be used to eliminate some of the 
> ambiguities for current
> network ID systems.
> 
> Marty's new kid (BTW, mine is on the way as well) and new 
> company (nope,
> I am not into making my own business) caused a long time delay.
> 
> Still, I hope the plug-ins will be improved and included in 
> the mainstream
> Snort distribution before 2020. (Oops, typo... :)
> 
> </line noise>
> 
> thank you.
> -- 
> Burak DAYIOGLU
> Phone: +90 312 2103379   Fax: +90 312 2103333
>        http://www.dayioglu.net
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBO4ZilkPxB2evAO3MEQLwygCgjVb2UEoJxDbxj3mOVgkyPQUsX/YAoJKW
/xjFcGq/pFgD5Mkh4V0W51c0
=fnTL
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list