[Snort-sigs] how can we alert on web visiting activity?

Jason Brvenik jasonb at ...435...
Thu Nov 19 17:29:57 EST 2009


On Thu, Nov 19, 2009 at 4:42 PM, Eoin Miller
<eoin.miller at ...3415...> wrote:
> This has bit us in the rear as well. Adding the following lines to your
> snort.conf file will also act the same as using the "-k" option. Here is
> a section of our snort.conf related to this:
>
> ---snip---
> #
> # Dont drop stuff because of the checksum (snort -k)
> #
> config checksum_mode: none
> ---snip---
>
> I am sure there is a great reason to allow packets to be ignored due to
> bad checksums, but having this be default behavior can cause some issues
> for users. I guess in theory the network devices/clients/servers should
> be disregarding the packets due to the bad checksums?
>

Yes there is. Accepting packets for analysis that have bad checksums (
and thus will not be processed by the targets) presents evasion
opportunities for the attacker.

For the body of work surrounding it check out the first few links in
these google searches.

http://www.google.com/search?q=checksum+ips+evasion
http://www.google.com/search?q=checksum+ids+evasion




More information about the Snort-sigs mailing list