[Snort-users] Re: OpenBSD IPsec DoS signature

Martin Roesch roesch at ...421...
Wed Oct 11 00:53:45 EDT 2000


Snort has portscan detection (plus IP defrag & TCP stream reassembly) either
in the current release version or in CVS for the pending 1.7 release.  Picking
up "odd proto" scans is something it doesn't do yet, but it's definitely
something that wouldn't be all that hard to throw in there.  Arbitrary
protocol analysis is something that we're currently toying with in the
development end of the Snort world...

    -Marty

Matthew Franz wrote:
> 
> It is not IKE (therefore no port 500 or any port)
> 
> It will be IP protocol 50 (AH) or 51 (ESP) -- or vice versa.
> 
> A more interesting sig, though would be the nmap protocol scan.  Does
> snort have port scan detection yet?  I imagine you would use the same type
> of algorithm except use IP protocols (only 8 bits) instead of ports.  I
> believe NetRanger & RealSecure have alerts for "Unknown" IP Protocols so
> that could also be an option.
> 
> -mdf
> 
> -------------------------------------
> Matthew Franz        mfranz at ...589...
> Security Research Engineer
> Security Technologies Assessment Team
> 
> On Fri, 6 Oct 2000, Theo de Raadt wrote:
> 
> > Date: Fri, 6 Oct 2000 17:06:25 -0600 (MDT)
> > From: Theo de Raadt <deraadt at ...588...>
> > To: deraadt at ...588..., dr at ...381..., snort-users at lists.sourceforge.net
> > Cc: mfranz at ...589...
> > Subject: Re: OpenBSD IPsec DoS signature
> >
> > >A while back I tested out a OpenBSD IPsec DoS for Matt Franz
> > >and he did a bugtraq advisory for it a week back or so. Testing it
> > >was kinda unpleasant... soo...
> > >
> > >It was quickly fixed by Theo (<1 day on a weekend nonetheless) but I
> >
> > I did not write the fix.  angelos at ...590... did.
> >
> > >think that it exists in the stock 2.7 systems with IPsec enabled so we should
> > >have a sig for it... (I'm purposely avoiding the "silent fix" controversy that
> > >was raised by K2 in bugtraq....  But Theo's somewhat irritated "elite" post had me LOL)
> > >
> > >I wanted to write a sig for it, but testing out which port causes the crash is
> > >err... painful.  The culprit is an IP packet with an empty payload, has anyone
> > >nailed down the port to narrower (pref single) value/range? My first guess
> > >is isakmp/500 but I happen to use OpenBSD for the boxes I like to keep
> > >running and count on and I'm not up to more syscrashes just yet...
> >
> > It is very unlikely to be isakmpd's port.
> >
> > >Maybe if Theo is still on-line, roaming the streets of Stockholm guerrilla
> > >surfing on open wavelan ports he finds, he could enlighten us a little about his
> > >fix... :-) Or if someone else knows or can test with nmap -sO the culprit
> > >port....
> >
> > I am still doing that, but unfortunately I am running out of battery
> > since I didn't buy a power adapter yet.  There's very little wavelan
> > in this part of downtown, but for some reason I get it loud and clear
> > if I place my laptop at just a certain angle on the hotel room
> > bed... can't ask for better, I suppose.
> >
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list