[Snort-users] sidestep

Jill Tovey jill.tovey at ...8678...
Tue Apr 29 05:34:05 EDT 2003


Hi,

Apologies to anyone on the focus-ids list who will receive this twice.

I am testing snort using a tool called sidestep, but can find little to
know explanation as how it works when trying to evade the IDS.

In the hope that some people here are fluent in hex I am posting what is
happening when I use the sidestep tool for an RPC request to my snort
box.

Below is the results in my log file from snort when using the RPC
request in normal mode...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

TCP TTL:128 TOS:0x0 ID:8585 IpLen:20 DgmLen:84 DF
***AP*** Seq: 0xBE7826F7  Ack: 0x34F8656C  Win: 0x4470  TcpLen: 20
80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02  ...(............
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Next I try sidestep using -evade mode.
This gets detected by snort and leaves the following in my log file:

[**] RPC portmap listing [**]
04/29-12:57:58.607580 192.168.0.10:1471 -> 192.168.0.2:111
TCP TTL:128 TOS:0x0 ID:10424 IpLen:20 DgmLen:240 DF
***AP*** Seq: 0x19B53290  Ack: 0xB60B1018  Win: 0x4470  TcpLen: 20
80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02  ...(............
00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
01 00 00 00 00 01 00 00 00 00 01 02 00 00 00 01  ................
00 00 00 00 01 01 00 00 00 01 86 00 00 00 01 A0  ................
00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00  ................
00 00 01 02 00 00 00 01 00 00 00 00 01 00 00 00  ................
00 01 00 00 00 00 01 04 00 00 00 01 00 00 00 00  ................
01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01  ................
00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00  ................
00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00  ................
00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 00  ................
00 01 00 80 00 00 01 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Anyway, as you can see the packet data is very different, but the first
44 bytes are the same, this is probably why snort is detecting the
attack.
So would anyone like to attempt an explanation as to how this tries to
evade snort?

Any comments much appreciated,

Cheers






More information about the Snort-users mailing list