[Snort-devel] a doozie of a metaphysical question

Chris Green cmg at ...81...
Wed Jun 13 17:09:42 EDT 2001


<tlewis at ...255...> writes:

> On Wed, 13 Jun 2001, Erik Fichtner wrote:
> 
>> On Wed, Jun 13, 2001 at 10:12:36AM -0400, tlewis at ...255... wrote:
>> > In fact, now that I think about it, you can't rely on DNS opcode or rcode 
>> > ranges to identify DNS packets, since having illegal values for these is 
>> > a very good attack.
>> 
>> Pshaw.   It's very hard to tell what something IS, but it's not very 
>> hard at all to tell what something ISN'T.
>> 
>> "This ISN'T a sensible DNS packet... Perhaps it should be looked at further..."
> 
> And what about the non-sensical DNS packets that are actually destined for
> DNS servers, where they will trigger very-sensible buffer overflows?  We're
> not writing tcpdump here; we're writing an IDS.

Unfortunately, network troubleshooting and security overlap in too
many places.  After talking to a person puzzled about a very odd
``fragmentation attack'' and lots of looking, I asked them to get
someone to look at the router interface stats the sensor was
monitoring and sure enough, error city.

Category 0 - Normal - don't bother with it

Category 1 - I don't understand it

This sure isn't DNS but it's suspicious.  Either the decoder is wrong
or the packet is wrong. Look at it some more - Might be caputuring a
unknown attack or making bad assumptions about the traffic in the
first place.

Category 2 - Known attack

This is FOO attack style signature - 95% likely a real attack

Tons of protocol decoders that can emulate specific implementation
behaviors seems to be a sensible approach if cpu usage is no object.

One behavior that would be nice to know is 'is this a real ftp
transfer connection or a rogue connection to a port'. Same general
category of the analysis quagmire without keeping tons of state
-- 
Chris Green <cmg at ...81...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-devel mailing list