[Snort-users] What do I need to configure in snort.conf to protect against segmentation attacks?

Emeka Agu mainmen1985 at ...11827...
Thu Aug 23 02:55:43 EDT 2012


Hi there, I've created some code in Scapy to create a successful 3WH and
then push a segmented keyword (/root/hacked) over 3 packets.

I also created these three rules in snort (I know the rule with no flow
direction set is pointless, but I needed it to confirm my findings)

1) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP”;
content:”/root/hacked”; nocase; sid:11112;)



2) alert ip any any -> $HOME_NET  80 (msg:”Testing IP Frag”;
content:”/root/hacked”; nocase; sid:11113;)



3) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP Flow”;
flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;)


But none of them are alerted when I send the packets. Wireshark manages to
see the packets and when I select Follow TCP Stream, and it displays the
content in full.


IP tables has been turned off too I tested with an earlier evasion attempt
just using a fragmented packet where it split the keyword into "/roo" and
"t/hacked" and  Snort detected it. I used exactly the same destination and
source ports, same IP source and destination, too.


So I am presuming it's something to do with my snort.conf file. I've left
most of the options as default, I just changed the policies to linux, as I
am using Backtrack as the Snort IDS


Can anyone give me any guidance please?

Cheers,


Emeka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120823/87692a51/attachment.html>


More information about the Snort-users mailing list