[Snort-users] Re: fragroute vs. snort: the tempest in a teacup

Francis Cianfrocca francis at ...5645...
Thu Apr 18 16:43:04 EDT 2002


Sorry for changing the subject, but what is the general state of the art 
on application-level firewalls? Are any of them ready for prime time?
-hedd

Dug Song wrote:

>On Wed, Apr 17, 2002 at 11:11:54PM +0000, Dragos Ruiu wrote:
>
>>First, this is not a snort-only issue, as I would wager other idses
>>have as many if not more evasion modes as well as sharing these with
>>Snort...
>>
>
>absolutely correct. Snort, i'd wager, does much better than most.
>
>most stateful inspection firewalls and "intrusion prevention" or other
>application-layer content filtering devices (e.g. Cisco NBAR) have
>similar vulnerabilities that may be tested with fragroute.
>
>>Most firewalls these days (especially Linux and OpenBSD ones)
>>actually do reassembly inbound.
>>
>
>this isn't quite true. most stateful inspection firewalls do "virtual
>reassembly" for IP fragments, and a few do basic window tracking for
>TCP connections, but will still allow most fragroute-style attacks
>through (e.g. duplicate overwriting TCP segments with older TCP
>timestamp options for PAWS elimination, short TTLs, etc.).
>
>your best bet (for the truly paranoid) is an application-layer
>firewall, but we all knew that already. :-)
>
>TCP scrubbers, as proposed by Malan, Paxson, et al. [1] [2] and
>implemented by Provos, Paxson, et al. [3] [4] are a good intermediate
>solution, but haven't found widespread deployment.
>
>>This was an interesting point discovered recently when it was
>>realized that the snort defragger was actually never getting touched
>>at all in some installations.
>>
>
>IP fragmentation is rare to begin with [5], so i wouldn't chalk this
>up to firewall magic - especially when all major firewalls still pass
>fragments in their default configuration, and ONLY OpenBSD pf and
>Linux netfilter can actually be configured to reassemble. even fewer
>track TCP windows, options, etc...
>
>-d.
>
>[1] http://www.eecs.umich.edu/~rmalan/publications/mwjhInfocomm2000.ps.gz
>[2] http://www.icir.org/vern/papers/norm-usenix-sec-01.ps.gz
>[3] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_norm.c
>[4] http://www.mirrors.wiretapped.net/security/network-intrusion-detection/norm/
>[5] http://www.caida.org/outreach/papers/2001/Frag/
>
>---
>http://www.monkey.org/~dugsong/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020418/66e7ad0d/attachment.html>


More information about the Snort-users mailing list