[Snort-users] Re: fragroute vs. snort: the tempest in a teacup

Brad Powell Brad.Powell at ...5663...
Mon Apr 22 14:29:07 EDT 2002

Darren writes:

> Well then IDS software needs to be smarter.  IMHO it makes little sense
> for an IDS to be *behind* a firewall as it's going to miss out on lots
> of useful data points.  Maybe this means telling your IDS software how
> big your network is so it can make intelligent decisions about how far
> a packet will go based on its TTL.

actually it depends. Behind the firewall and you can set the red flags to be 
very sensative. Packets that should -never- be there send up big red flags,
and page people because the FW failed.

In front of the FW give you more info to be sure, but also a lot of noise
that your FW would block anyway.

Depends on if you want to heare the door rattlers (millions of them)
or not.

> IP Fragmentation is rare across the WAN, maybe, but anyone who's used
> NFSv2 knows how common it is on the LAN.

actually with load ballancing gear frags are more and more prevelent
even on the WAN.

> There are good reasons NOT to do reassembly and I imagine those that do
> not do so because they understand this better than the desire to simply
> add yet another feature which some consider "cool".

true, except if you can't guarentee that you will see the whole packet
through the SAME interface. We tripped over this a few times with SunScreen
doing stateful inspection (a good thing most of the time). Anywhere from
1/2 to more of the traffic was going through a different router and the
Firewall was sitting there holding 1/2 of the packet in a memory buffer
that would never get freed. Eventually you get enough of these that the
network slows down or the FW runs out of memory.

HPux was nortorius for opening a buffer for frags, and never freeing the
buffer. The easy way to bring HP's to their knees :-)

Brad Powell : HOME: brad at ...5662... WORK: brad.powell at ...5663...
The views expressed are those of the author and may not reflect the views
of Sun Microsystems Inc.

More information about the Snort-users mailing list