[Snort-devel] a new method to desync IDS???

Burak DAYIOGLU dayioglu at ...287...
Thu May 10 09:20:15 EDT 2001

While experimenting some other thing, I guess we have had found a
new way to desyncronize NIDS sensors from those hosts that the NIDS
is used to protect.

With the increasing use of TTCP, there are two groups of TCP 
behaviour. Some of the hosts accept data with the first SYN of the
three way handshake while others simply discarding it.

Reading through the linux IP stack implementation, we found that
Linux is simply discarding data portions of initial SYN's while
(according to the source code comment in tcp_input.c) BSD
derivatives queue at least some portion of the data for use after
session establishment.

Our initial examination with the Snort NIDS source code gave hints
that Snort (with its most up to date rulesets) may produce alerts
for the data portions of these initial SYN packets, even though
the actual recipient system is going to discard it.

On the contrary, if the NIDS does not know how the actual recipient
will handle the data portion (accept or discard it), there is the
possibility for an Evasion or Insertion attack.

The question marks on the subject line are to express that we are
not sure about
	a. If this insertion/evasion case does really exist, as we
		have not proved it informally through development
		of an exploit code 
	b. If someone has discovered/pointed it before us if
		there really is such a vulnerability

We are still continuing examining the case and would love to hear
your comments/flames.

Burak DAYIOGLU & Muzaffer OZAKCA

More information about the Snort-devel mailing list