[Snort-users] BPF for ECN Bits

Max Vision vision at ...4...
Thu May 24 18:46:11 EDT 2001


Hi,

You should use the rules from arachNIDS.  I posted awhile back that the
initial TTL for queso probes is always 255.  Normal Linux traffic initial
TTL will almost always be 64.  Therefor you can detect queso probes with a
high reliability by watching for ttl > 225 or so.

http://whitehats.com/info/IDS29

For Snort 1.7:
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/probe-Queso Fingerprint attempt"; ttl: >225; flags: S12;)

For Snort 1.8:
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/probe-Queso Fingerprint attempt"; ttl: >225; flags: S12; classtype: info-attempt; reference: arachnids,29;)

Max

On Thu, 24 May 2001, Erik Fichtner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, May 24, 2001 at 12:19:21PM -0700, Joe McAlerney wrote:
> > I wrote this one a while back.  It was tested, and seems to work.
> > Please let me know if you find it is not doing the job.
> >
> > # snort <command options> not 'tcp[13] & 192 != 0'
>
> Well, it works, but it doesn't work.   It prevents snort from seeing
> ECNified packets--entirely.   Which means, any ECN host can attack you with
> impunity and you'll never see it.
>
> Better to just patch spp_portscan and remove the queso fingerprinting rules
> if ECN is giving you grief.   (spp_portscan needs a -dontflagecn option..)
>
>
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.5 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7DXlqQ7EzrewLMS0RAp9IAJ44e5LDsvec0sXXq6MvRMK2X/J0EQCcC8G7
> shSjf1/z+jz4uYsP8yc5jHA=
> =nY1e
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list