[Snort-devel] Re: Re: Snort exploits

ktimm at ...364... ktimm at ...364...
Wed Apr 17 21:54:09 EDT 2002


If I may chime in these Cisco IDS detects many of the fragmentation attacks
with signatures however the problem with that is that those are usually set
to a low alarm level and don't always log well. Fragmentation occurs in the
wild often especially in VPN traffic where overrite is a common alarm. The
fact that an IDS alarms is fine however the attack may still be missed or
at the least mis-diagnosed. I myself am a big proponent of IDS, however the
network level problems do present a vary unique situation in that it takes
fairly skilled professionals managing the devices and that if the victim
doesn't reside on the same broadcast network an attacker can still fake
resets and stuff like that. Vern Paxson had a very interesting point in
traffic normalization. I have been doing some work with session splicing.
Session splicing is easy to detect in small packets but with web stuff you
can insert a lot of junk the web server will accept that allows you to pad
a request. Also , while apache times out a session in 6 minutes IIS will
let a session go on for almost ever. You can send 1 byte every 15 minutes
and IIS will still accept it. Timeout is an issue with splicing more than
fragmentation if the server will keep accepting requests.

Kevin



>
> On Wed, 17 Apr 2002 04:07:31 +0000, Dragos Ruiu <dr at ...40...> wrote:
>
>>Basically all the chaffing at the IP and TCP level is detectable as
>>those  should not be normal conditions. Look to snort cvs over the next
>>few days for solutions to these issues...
>
> That's good to know. But why has it taken 3 months to fix? I wonder
> what I've been missing during those 3 months. :(
>
>>But using fairly loaded terms like "blindside" is just excessively
>>alarmist imho.
>
> *All* the attacks he lists still work against Snort 1.8.3 through the
> current version in CVS, except for one, and maybe I'm running it wrong.
> I literally get *no* alerts for any of the TCP-based attacks, I
> wouldn't call that "near-sighted" ;)
>
>
> -=+ 0xCafeBabe! +=-
>
>
> Hush provide the worlds most secure, easy to use online applications -
> which solution is right for you? HushMail Secure Email
> http://www.hushmail.com/
> Hush Business - security for your Business http://www.hush.com/
> Hush Enterprise - Secure Solutions for your Enterprise
> http://www.hush.com/
>
> Looking for a good deal on a domain name?
> http://www.hush.com/partners/offers.cgi?id=domainpeople
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel







More information about the Snort-devel mailing list