[Snort-users] What do I need to configure in snort.conf to protect against segmentation attacks?
mainmen1985 at ...11827...
Thu Aug 23 02:55:43 EDT 2012
Hi there, I've created some code in Scapy to create a successful 3WH and
then push a segmented keyword (/root/hacked) over 3 packets.
I also created these three rules in snort (I know the rule with no flow
direction set is pointless, but I needed it to confirm my findings)
1) alert tcp any any -> $HOME_NET 80 (msg:”Testing TCP”;
content:”/root/hacked”; nocase; sid:11112;)
2) alert ip any any -> $HOME_NET 80 (msg:”Testing IP Frag”;
content:”/root/hacked”; nocase; sid:11113;)
3) alert tcp any any -> $HOME_NET 80 (msg:”Testing TCP Flow”;
flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;)
But none of them are alerted when I send the packets. Wireshark manages to
see the packets and when I select Follow TCP Stream, and it displays the
content in full.
IP tables has been turned off too I tested with an earlier evasion attempt
just using a fragmented packet where it split the keyword into "/roo" and
"t/hacked" and Snort detected it. I used exactly the same destination and
source ports, same IP source and destination, too.
So I am presuming it's something to do with my snort.conf file. I've left
most of the options as default, I just changed the policies to linux, as I
am using Backtrack as the Snort IDS
Can anyone give me any guidance please?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users