[Snort-users] IDS246 - Large ICMP Packet, can be circumvented, & false positives

Graham Bevan gbevan at ...830...
Wed Nov 22 04:48:41 EST 2000

     The rule for IDS246 produces false positives for Path-MTU Discovery.
These packets can be distinguished by the fact that they have the "Don't
Fragment" (DF) bit set.

     I could not find a method in Snort to specifiy a check for DF=0, so as
an alternative I tried modifying the dsize:<800 to be dsize:<1500. 1500
being the max MTU for the ethernet interface. If a packet arrives larger
than this, then it must have traversed the network in fragments. Any ICMP
echo request larger that 1500 bytes (and DF=0) therefore remains suspect!

     However, this did not pickup a Ping-of-Death attack, this is because
the large ICMP packets I sent were fragmented over the network, therefore
snort only saw packets of max size of the interface MTU!

     It is my belief that the original IDS246 rule can be circumvented to
ignore delivery of Ping-of-Death by forcing the ICMP ECHO-REQUEST packet to
fragment into packets of less than 800 bytes. I cannot see an immediate
solution to this problem.

     The only way I can think of to remove false positives for PMTU is to
test for the DF flag.  Does anybody know how to do this with snort?

     Does anybody have any thoughts on the above circumvention of the rule
for Ping-of-Death attacks?

     G.L. Bevan.

More information about the Snort-users mailing list