[Snort-users] Re: OpenBSD IPsec DoS signature

Matthew Franz mfranz at ...589...
Sun Oct 8 17:01:28 EDT 2000


It is not IKE (therefore no port 500 or any port)

It will be IP protocol 50 (AH) or 51 (ESP) -- or vice versa.

A more interesting sig, though would be the nmap protocol scan.  Does
snort have port scan detection yet?  I imagine you would use the same type
of algorithm except use IP protocols (only 8 bits) instead of ports.  I
believe NetRanger & RealSecure have alerts for "Unknown" IP Protocols so
that could also be an option.

-mdf

-------------------------------------
Matthew Franz        mfranz at ...589...
Security Research Engineer
Security Technologies Assessment Team

On Fri, 6 Oct 2000, Theo de Raadt wrote:

> Date: Fri, 6 Oct 2000 17:06:25 -0600 (MDT)
> From: Theo de Raadt <deraadt at ...588...>
> To: deraadt at ...588..., dr at ...381..., snort-users at lists.sourceforge.net
> Cc: mfranz at ...589...
> Subject: Re: OpenBSD IPsec DoS signature
> 
> >A while back I tested out a OpenBSD IPsec DoS for Matt Franz
> >and he did a bugtraq advisory for it a week back or so. Testing it
> >was kinda unpleasant... soo...
> >
> >It was quickly fixed by Theo (<1 day on a weekend nonetheless) but I 
> 
> I did not write the fix.  angelos at ...590... did.
> 
> >think that it exists in the stock 2.7 systems with IPsec enabled so we should
> >have a sig for it... (I'm purposely avoiding the "silent fix" controversy that
> >was raised by K2 in bugtraq....  But Theo's somewhat irritated "elite" post had me LOL)
> >
> >I wanted to write a sig for it, but testing out which port causes the crash is
> >err... painful.  The culprit is an IP packet with an empty payload, has anyone
> >nailed down the port to narrower (pref single) value/range? My first guess
> >is isakmp/500 but I happen to use OpenBSD for the boxes I like to keep 
> >running and count on and I'm not up to more syscrashes just yet...
> 
> It is very unlikely to be isakmpd's port.
> 
> >Maybe if Theo is still on-line, roaming the streets of Stockholm guerrilla
> >surfing on open wavelan ports he finds, he could enlighten us a little about his
> >fix... :-) Or if someone else knows or can test with nmap -sO the culprit
> >port....
> 
> I am still doing that, but unfortunately I am running out of battery
> since I didn't buy a power adapter yet.  There's very little wavelan
> in this part of downtown, but for some reason I get it loud and clear
> if I place my laptop at just a certain angle on the hotel room
> bed... can't ask for better, I suppose.
> 
> 




More information about the Snort-users mailing list