[Snort-devel] fragroute related fixes need testing on real networks
rottz at ...403...
Mon Apr 22 20:03:02 EDT 2002
Chris Green wrote:
> TCP stream stuff already had the min_ttl option to detect this attack
> so that it will throw away anything underneath that.
After running build 127 this weekend, I saw this.
[**] spp_stream4: TTL EVASION (reassemble) detection [**]
04/21-14:15:08.197485 0:A0:C5:E5:F6:93 -> 0:A0:CC:61:EC:DE type:0x800
a.b.c.d:8572 -> a.b.c.53:80 TCP TTL:17 TOS:0x0 ID:0 IpLen:20 DgmLen:43
***A*R** Seq: 0xA400514D Ack: 0x0 Win: 0x0 TcpLen: 20
63 6B 6F cko
Which is traffic to my webserver, which seems odd?
Maybe still needs alittle tweaking. *shrug*
I'm compiling and installing today changes, right now.
> I added this option to frag2
> Also, there is a ttl_limit option to both. Basically, this will alert
> on anything that is different by more than a certain limit
I don't get much fragmentation on my network, so hopefully others can test.
> The default is 5 picked off the cuff. Know of any papers that measure
> the avg and std deviation of TTLs on normal internet traffic across a
> large sample and I'll be your buddy.
See if any of these help at all....
> Thanks for your help and patience,
No! Thank you for all your work!! :)
More information about the Snort-devel