[Snort-users] Re: fragroute vs. snort: the tempest in a teacup
francis at ...5645...
Thu Apr 18 16:43:04 EDT 2002
Sorry for changing the subject, but what is the general state of the art
on application-level firewalls? Are any of them ready for prime time?
Dug Song wrote:
>On Wed, Apr 17, 2002 at 11:11:54PM +0000, Dragos Ruiu wrote:
>>First, this is not a snort-only issue, as I would wager other idses
>>have as many if not more evasion modes as well as sharing these with
>absolutely correct. Snort, i'd wager, does much better than most.
>most stateful inspection firewalls and "intrusion prevention" or other
>application-layer content filtering devices (e.g. Cisco NBAR) have
>similar vulnerabilities that may be tested with fragroute.
>>Most firewalls these days (especially Linux and OpenBSD ones)
>>actually do reassembly inbound.
>this isn't quite true. most stateful inspection firewalls do "virtual
>reassembly" for IP fragments, and a few do basic window tracking for
>TCP connections, but will still allow most fragroute-style attacks
>through (e.g. duplicate overwriting TCP segments with older TCP
>timestamp options for PAWS elimination, short TTLs, etc.).
>your best bet (for the truly paranoid) is an application-layer
>firewall, but we all knew that already. :-)
>TCP scrubbers, as proposed by Malan, Paxson, et al.   and
>implemented by Provos, Paxson, et al.   are a good intermediate
>solution, but haven't found widespread deployment.
>>This was an interesting point discovered recently when it was
>>realized that the snort defragger was actually never getting touched
>>at all in some installations.
>IP fragmentation is rare to begin with , so i wouldn't chalk this
>up to firewall magic - especially when all major firewalls still pass
>fragments in their default configuration, and ONLY OpenBSD pf and
>Linux netfilter can actually be configured to reassemble. even fewer
>track TCP windows, options, etc...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users