[Snort-devel] FlexResp "fix"...

Abe L. Getchell abegetchell at ...1785...
Thu Jan 16 21:27:01 EST 2003


Greetings all!
	Long time no see, been busy. =)  Remember a loooooong time ago
when I posted a message to the devel list about the possibility of an
attacker being able to determine what segment a Snort sensor was sitting
on by looking at the TTL in the IP header of TCP resets and ICMP error
messages that flexresp sends back to him?  Well, the topic came up again
when I was discussing active response with a friend who works for
Enterasys yesterday and it got me thinking, so I made some changes to
sp_respond.c and tested them out this evening.  The diff attached to
this e-mail will cause a random TTL to be generated for the precached IP
headers used for TCP reset and ICMP error packets every time Snort is
started.
	Only generating a randomized TTL once every time Snort is
started has some advantages as opposed to other solutions that were
discussed a while back (check the list archives for details).  It
doesn't become a fingerprint of Snort to send out flexresp packets with
TTL's that jump all over the place or simply increment/decrement, since
the TTL is randomized only once every time Snort is started it doesn't
place a huge amount of overhead on the box as opposed to doing
randomization for every flexresp packet it sends out, the TTL changes
only every time Snort is restarted so it would be consistent for the
short term (to keep things from looking TOO suspicious to a less
experienced attacker) yet would change in the long term (just enough to
maybe keep a less experienced attacker scratching his head), and it
allows the current system of precaching IP headers to stay in place
without major changes to the way flexresp works... again.
	Please keep in mind that this is my first submission to have
something changed, so please tell me if I screwed anything up or need to
provide any additional information.  Also keep in mind that I'm not a
programmer, so if I botched something in the VERY few lines of code I
actually touched, feel free to bonk me over the head.  Hope everyone's
been doing well, let me know if you have any questions!

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...1785...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: flexresp_TTL_fix.diff
Type: application/octet-stream
Size: 1638 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030116/033badc6/attachment.obj>


More information about the Snort-devel mailing list