[Snort-sigs] snort rule documentation (#522)

dank at ...1581... dank at ...1581...
Mon Jun 9 06:39:16 EDT 2003

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments";
fragbits:M; dsize: < 25; classtype:bad-unknown; sid:522; rev:1;)
An IPv4 fragment of dubiously small nature was seen.
Many IDS's are known to have issues regarding the reassembly of IP
fragments, and could miss an attack carried over such means.  Firewalls
suffer from the same issues, and can be tricked into allowing packets
through that should normally be rejected.  Furthermore, there is a small
history of OS issues related to unorthodox fragmentation.
Detailed Information:
IPv4 manages to adapt to various link layer protocols on a route via the
fragmentation mechanism outlined in its RFC.  A router connecting two
carrying media of varying MTU (Maximum Transmission Unit) can fragment
packets of size too large to transmit on one wire before dispatch.  When
datagrams stay within one MTU, the maximum packet sizes possible can be
used without fragmentation, thus pairing flexibility with efficiency.

Historically, handling of fragmentation has been less than stellar in
both IP stacks and the IDS systems designed to protect them.  While the
limited number of attacks based on fragmentation are easily picked up by
anomaly- or signature-based system, IDS's which fail to properly
reassemble fragments can miss any attack which is so fragmented.
Firewalls have often proved susceptible to fragmented TCP or UDP
headers, allowing traffic which should have been filtered to pass
Affected Systems:
Any IDS/firewall lacking proper IPv4 fragment reassembly.
Attack Scenarios:
An attacker may pass a fragment containing a TCP/UDP header which is
allowed to pass through a firewall, then follow this up with a fragment
which overwrites the previous headers, but is allowed due to poor
connection tracking.

An attacker may fragment an exploit, so that it is not detected by IPS
nor filtered by IPS products.
Ease of Attack:
Tools have been written to trivially fragment traffic; Dug Song's
fragrouter program is a well-known example.
False Positives:
It is unlikely that such a fragment would be seen in standard use of
IPv4; while the last fragment in a series is typically smaller than the
others, this signature explicilty matches the More Fragments bit.
Nonetheless, a pedantic reading of the IPv4 RFC allows this, so long as
the data length is a multiple of 8.
False Negatives:
Attacks may still be fragmented into larger chunks, which this will not
alert on.
Corrective Action:
Original rule author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
Additional References:
IPv4 RFC:  http://www.faqs.org/rfcs/rfc791.html

nick black <dank at ...1582...>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo

More information about the Snort-sigs mailing list