[Snort-devel] Re: [Snort-users] fragroute related fixes need testing on real networks

Martin Roesch roesch at ...402...
Mon Apr 22 19:52:10 EDT 2002


Hey Chris,
    Since I sit ~10 feet from you these days it'd probably be more efficient
for me to just wait to talk about this until work tomorrow, but since I'm
home and I actually have this in front of me, I guess I'll share with the
group.

[snip]

>> 4. older IP fragment duplicates (snort's IP fragment reassembly seems
>>    to always favor newer data, even for properly sequenced received
>>    data):
>> 
>> ip_frag 8
>> ip_chaff dup
>> order random
>> 
> 
> Alert on frags with option data and suck them all away.
> 
> Philosophical question:  Should we ignore frags we didn't see the
> first fragment of?

Do you mean first frag first or frags that we never get the first one for?
They can come in out of order, so you should collect them until you hit a
flush condition, timeout, completion or flush due to memory faults induced
by memcap.  If we don't see the first frag the transport layer header will
be assembled incorrectly, so we should either flush them altogether (i.e.
Drop them) or log them to the logging facility as a bad packet.  My opinion.
:)

>> 6. either TCP or IP chaffing with short TTLs (that expire before
>>    reaching the end host, but pass by the monitor):
>> 
>> ip_frag 8
>> ip_ttl 11
>> ip_chaff 10
>> order random
>> 
>> tcp_seg 1
>> ip_ttl 11
>> tcp_chaff 10
>> order random
>> 
> 
> TCP stream stuff already had the min_ttl option to detect this attack
> so that it will throw away anything underneath that.
> 
> I added this option to frag2
> 
> Also, there is a ttl_limit option to both.  Basically, this will alert
> on anything that is different by more than a certain limit

I'd probably call this "ttl_delta" or something, but that's just me.

Thanks for your hard work on this one Chris!

     -Marty

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list