[Snort-users] Snort Evasion?

IDS Expect robertgoldman2000 at ...131...
Sun Mar 17 14:29:07 EST 2002


Hi,

I have been examining the snort 1.8.4 source code and
I think I found a very simple way to evade Snort if
and when stream4 is in use.

It seems like in spp_stream4.c, FlushStream() will
ignore all packets if base_seq is zero. Well, base_seq
is set to the sequence number of the first data byte.
What if the attacker initializes her TCP connection's
sequence number to 0xffffffff. This well make base_seq
zero and Snort will further ignore any data on this
connection.

Am I right?
--rob 


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/




More information about the Snort-users mailing list