[Snort-devel] Snort Session re-assembly

ktimm at ...364... ktimm at ...364...
Wed Apr 17 11:55:13 EDT 2002


I've been working with doing some testing on Snort session re-assembly
using Whisker style splicing. There seems to be some problems with Snorts
stream re-assembly and how it actually detects attacks. In short , I set it
up in a lab that allows different time intervals as well as different size
splices (to avoid the default Snort Whisker rules ). Depending on what is
sent differnt rules are triggered. When 1 byte splices are sent Whisker
rules trigger only. When larger splices are sent (I sent some unicode stuff
for testing since it should lite up the alerts file) I may get a unicode
alert or I may get scripts access alert. When I lengthen the amount of time
(whish IIS convienently allows tobe quite large) Snort can be totally
evaded. In comparison I had a Cisco sensor in the lab as well which
flawlessy detected all the attacks except the ones which took a significant
amount of time. This would lead me to believe that the Snort stream re-
assembly isn't really working correctly. I have port 80 set for re-assembly
with stream4 and am testing with 1.8.6. I will be happy to send all the
results and logs off line aas well as conf files and ehatever is needed.

Any Ideas ?


Kevin






More information about the Snort-devel mailing list