[Snort-devel] fragroute related fixes need testing on real networks

Peter Johnson rottz at ...403...
Mon Apr 22 20:03:02 EDT 2002


Chris Green wrote:
> TCP stream stuff already had the min_ttl option to detect this attack
> so that it will throw away anything underneath that.
After running build 127 this weekend, I saw this.
[**] spp_stream4: TTL EVASION (reassemble) detection [**]
04/21-14:15:08.197485 0:A0:C5:E5:F6:93 -> 0:A0:CC:61:EC:DE type:0x800 
len:0x3C
a.b.c.d:8572 -> a.b.c.53:80 TCP TTL:17 TOS:0x0 ID:0 IpLen:20 DgmLen:43
***A*R** Seq: 0xA400514D  Ack: 0x0  Win: 0x0  TcpLen: 20
63 6B 6F                                         cko

Which is traffic to my webserver, which seems odd?
Maybe still needs alittle tweaking. *shrug*
I'm compiling and installing today changes, right now.


> I added this option to frag2
> 
> Also, there is a ttl_limit option to both.  Basically, this will alert
> on anything that is different by more than a certain limit
I don't get much fragmentation on my network, so hopefully others can test.

> 
> The default is 5 picked off the cuff.  Know of any papers that measure
> the avg and std deviation of TTLs on normal internet traffic across a
> large sample and I'll be your buddy.
See if any of these help at all....
http://216.239.35.100/search?q=cache:HqEP0g71uxMC:www.lucent.com/livelink/210013_Presentation.ppt+TTL+evasion&hl=en
http://www.icir.org/vern/papers/norm-usenix-sec-01-html/node3.html
http://translate.google.com/translate?hl=en&sl=it&u=http://security.dsi.unimi.it/~lorenzo/papers/notes/eluding_ids.txt&prev=/search%3Fq%3DTTL%2Bevasion%26hl%3Den%26safe%3Doff
http://secinf.net/info/ids/idspaper/idspaper.html

> Thanks for your help and patience,
> Chris

No! Thank you for all your work!! :)





More information about the Snort-devel mailing list