[Snort-users] ack!@

Max Vision vision at ...4...
Sun Jan 28 23:39:37 EST 2001


Well somehow how I completely missed that there is new functionality in
the rules parsing allowing for intelligent(!) consideration of the TCP
flags.  This is new to Snort 1.7 so listen up! :)

         case '!': /* not, fire if all flags specified are not present,
                      other are don't care */
             idx->mode = M_NOT;
         case '*': /* star or any, fire if any flags specified are
                      present, other are don't care */
             idx->mode = M_ANY;
         case '+': /* plus or all, fire if all flags specified are
                      present, other are don't care */
             idx->mode = M_ALL;

This is extremely important for people who care about thwarting a gaping
detection hole.  For as long as snort's existed (pre 1.7) it was possible
to blow right past the TCP signatures just by adding URG or the reserved
bits, or by stripping the PSH bit. (other evasion tactics besides)

Now for all of those TCP signatures that we are specifying "flags: PA;" we
should instead say "flags: A+;" (A* would also work).

A huge Thank You goes to Brian Caswell (@mitre.org), who recently sent me
an email saying something like:
   Shouldn't the rules with "flags: AP;" be "flags: A+;"
I was quite surprised to see this A+ reference and investigated the
sources immediately... HAPPY SURPRISE. :)

That's what I get for not inspecting the code more closely in a new Snort
release... it was also mentioned in Marty's guide to writing snort rules
in his last update.

Over the next few hours I'll be updating the 116 intrusion events (and
signatures) from arachNIDS that are affected by this.

Have fun!

More information about the Snort-users mailing list