[Snort-devel] Bad checksum detector (preprocessor) for 1.9.0

Del Armstrong del_armstrong at ...398...
Sun Nov 24 21:18:02 EST 2002


Attached is spp_csum, a preprocessor for Snort
1.9.0.  Inspired by the work which lead to CERT
Vulnerability Note VU#539363, spp_csum will log an
alert on packets with bad IP, TCP, UDP or ICMP
checksums. There are options to control which
checksums to examine, and to ignore bad checksums
until certain thresholds have been reached.

If an attacker can generate packets with bad
checksums, he/she may be able to evade IDS systems
which drop packets with bad checksums. In 
addition there is a potential for malformed
packets with bad checksums to be used for denial
of service attacks. The bottom line is that
packets with bad checksums *may* be somebody
trying something funny, and so should noticed by a
NIDS.

Snort 1.9.0 apparently has a few problems with ICMP
and UDP checksums.  I suggest configuring spp_csum
to ignore ICMP packets, and applying the attached
patch to decode.c (or ignoring UDP packets).






__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_csum.tar.gz
Type: application/x-tar
Size: 15439 bytes
Desc: spp_csum.tar.gz
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021124/7546f3ef/attachment.tar>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decode.patch
Type: application/x-unknown
Size: 1971 bytes
Desc: decode.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021124/7546f3ef/attachment.bin>


More information about the Snort-devel mailing list