[Snort-users] spp_defrag.c beta 14

Dragos Ruiu dr at ...50...
Tue Jul 25 18:32:55 EDT 2000


Correct.  The standard "stealth" approach is to use
fragrouter to hide the attack.  And if this does
indeed work stably, then, I think that now snort
plays with the big boys..... because a surprising
number of even the big $$$ IDS and other security 
systems are vulnerable to fragments (or completely 
ignore them, yikes!). We won't mention the name
of any extremely large companies that sell 2y old 
Pentium technology based rackmount IDS units 
for $20K that completely ignore fragments.... nope....
But they'll probably just swipe the code when they 
assemble their next major release... next year.... :-)

I have one more enhancement release planned for
devel.  Call it 2.0.... it will have controllable reassembly
behaviour to mimic your favorite platforms (likely not
mutliple behaviours yet, just pick one, though the latter 
is planned for in my architecture).  And the next one
will do better alarming and have some threshold 
alarms for things like fragment loss and some DoS
conditions.

And if my hunch is correct... it will not only play with the
big boys... but it could well smoke their ass in real life high 
load traffic scenarios - which I've been analyzing. I would
like to see even Mr. Graham's bazillion of pps full all layer
protocol analysis boasting software keep up to a good
BSD system in the presence of heavy fragmentation with
this reassembly system. But, talk and hypothetical analysis
is cheap, let's bring on the real benchmarks.... or the 
real bugs.... :-)

cheers,
--dr


On Tue, 25 Jul 2000, Christian Hammers wrote:
> > Oh, and if it works for you... I would like to hear about it too... :-)  
> > Especially on loaded links... --dr
> Just a question:
> This preprocessor assembles fragmentated IP packages to that snort does
> not get fooled while looking for "content" signatures when a package
> is broken into many very small peaces. Right?
>
-- 
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com




More information about the Snort-users mailing list