[Snort-users] Snort Evasion?
robertgoldman2000 at ...131...
Sun Mar 17 14:29:07 EST 2002
I have been examining the snort 1.8.4 source code and
I think I found a very simple way to evade Snort if
and when stream4 is in use.
It seems like in spp_stream4.c, FlushStream() will
ignore all packets if base_seq is zero. Well, base_seq
is set to the sequence number of the first data byte.
What if the attacker initializes her TCP connection's
sequence number to 0xffffffff. This well make base_seq
zero and Snort will further ignore any data on this
Am I right?
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
More information about the Snort-users