[Snort-devel] Yet more data corruption in stream4/snort-2.0.5

Andrew Rucker Jones arjones at ...2237...
Sat Dec 6 12:35:01 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Frank,
	That's interesting. I used snort with my patches on a few gigabytes of
information and got the same alerts as without my patches (sans
corrupted packets), including Web attacks like CodeRed, and, yes, i
believe Nimda was in there. I would be happy to look at what You're
talking about if You send me a pcap file.
	As i mentioned to Jim Cervantes off list, my patch IS broken in one way
known to me -- it does not check both sides of the three way handshake
to see if they both use window scaling. If either one of them does not,
the other is not allowed to. The only consequence i can see of this is a
possible insertion attack against the IDS, but i believe it would be
pretty hard to pull off (and would be no better or worse than the
omission attack that one could use against snort without my patches).


Frank Knobbe wrote:
| On Tue, 2003-12-02 at 16:22, Andrew Rucker Jones wrote:
|
|>	There is another data corruption ... deficiency ... in stream4 in snort
|>2.0.5. This one stems from the fact that snort does not handle TCP
|>window scaling.
|
|
|
| Andrew,
|
| I've been running your patches in a test bed for a while. It seem like
| they are broken since snort got pretty blind on the TCP side of things.
| Naturally, UDP and ICMP based alerts remained, but I noticed Snort
| snoozing through Nimda and other web related scans.
|
| What have others experienced?
|
| Regards,
| Frank
|

- --
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/0j0roI7tqy5bNGMRApOZAKCI/lMxL1a9uW8Tzso2iwy5PqckJwCeJqPd
+kgi3Yhq3n2ozRKpxzCShnw=
=TzTs
-----END PGP SIGNATURE-----





More information about the Snort-devel mailing list