[Snort-users] sidestep

Matt Kettler mkettler at ...4108...
Tue Apr 29 09:16:56 EDT 2003


 From what I read, sidestep does a fragmentation style attack, but rather 
than using the IP or TCP layers (which is what fragrouter and the like do), 
it uses features of particular application protocols to do it.

http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-ids/2001-07/0100.html

So basically in this example it's making a bunch of redundant commands to 
RPC, and at the application layer, apparently RPC will re-assemble it.

Another discussion can be found here:
http://www.sans.org/resources/idfaq/rpc_evas.php

I think that sidestep, and similar attacks, is one reason why snort has a 
rpc_decode preprocessor.

At 01:35 PM 4/29/2003 +0100, Jill Tovey wrote:
>Anyway, as you can see the packet data is very different, but the first
>44 bytes are the same, this is probably why snort is detecting the
>attack.
>So would anyone like to attempt an explanation as to how this tries to
>evade snort?
>
>Any comments much appreciated,





More information about the Snort-users mailing list