[Snort-devel] FlexResp "fix"...

Abe L. Getchell abegetchell at ...1785...
Mon Jan 20 14:40:07 EST 2003

Hi guys,
	You know, I just thought of something.  It would be bad if the
packets were generated with a randomized TTL of say, three.  Sooooooo,
I'm going to fix the patch to specify a minimum TTL of 64 and repost it
when that's complete.  I had a feeling I was forgetting something. =)


Abe L. Getchell
Security Engineer
abegetchell at ...1785...

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Abe L. Getchell
> Sent: Friday, January 17, 2003 12:26 AM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] FlexResp "fix"...
> Greetings all!
> 	Long time no see, been busy. =)  Remember a loooooong time ago
> when I posted a message to the devel list about the possibility of an
> attacker being able to determine what segment a Snort sensor 
> was sitting
> on by looking at the TTL in the IP header of TCP resets and ICMP error
> messages that flexresp sends back to him?  Well, the topic 
> came up again
> when I was discussing active response with a friend who works for
> Enterasys yesterday and it got me thinking, so I made some changes to
> sp_respond.c and tested them out this evening.  The diff attached to
> this e-mail will cause a random TTL to be generated for the 
> precached IP
> headers used for TCP reset and ICMP error packets every time Snort is
> started.
> 	Only generating a randomized TTL once every time Snort is
> started has some advantages as opposed to other solutions that were
> discussed a while back (check the list archives for details).  It
> doesn't become a fingerprint of Snort to send out flexresp 
> packets with
> TTL's that jump all over the place or simply 
> increment/decrement, since
> the TTL is randomized only once every time Snort is started it doesn't
> place a huge amount of overhead on the box as opposed to doing
> randomization for every flexresp packet it sends out, the TTL changes
> only every time Snort is restarted so it would be consistent for the
> short term (to keep things from looking TOO suspicious to a less
> experienced attacker) yet would change in the long term (just 
> enough to
> maybe keep a less experienced attacker scratching his head), and it
> allows the current system of precaching IP headers to stay in place
> without major changes to the way flexresp works... again.
> 	Please keep in mind that this is my first submission to have
> something changed, so please tell me if I screwed anything up 
> or need to
> provide any additional information.  Also keep in mind that I'm not a
> programmer, so if I botched something in the VERY few lines of code I
> actually touched, feel free to bonk me over the head.  Hope everyone's
> been doing well, let me know if you have any questions!
> Thanks,
> Abe
> --
> Abe L. Getchell
> Security Engineer
> abegetchell at ...1785...

More information about the Snort-devel mailing list