[Snort-users] What do I need to configure in snort.conf to protect against segmentation attacks?

Gmail Personal mainmen1985 at ...11827...
Sun Aug 26 06:44:58 EDT 2012


I should also add I changed the port targeted to 22, just in case something was going weird. And I have added the port to the Stream5 option

Weird!

Emeka Agu | Sent from  iPad

On 26 Aug 2012, at 11:30, Emeka Agu <mainmen1985 at ...11827...> wrote:

> Hi Tony thanks for the help. Still get the problem!
> 
> I followed this guide too: http://searchsecuritychannel.techtarget.com/tip/Snorts-Stream5-and-TCP-overlapping-fragments where Richard did exactly the same thing as me
> 
> And edited my Stream5 TCP policy to include the reassembly Port, but it still didn't detect anything. Surely something is wrong, or is Snort that easily beaten by segmented TCP streams?
> 
> Thanks
> 
> On 23 August 2012 18:27, Tony Robinson <deusexmachina667 at ...11827...> wrote:
> I'd check your frag3 and stream 5 settings in snort.conf, verify that stream5 is enabled and that TCP streams are being assembled. according to the snort manual, stream reassembly for port 80 from client operating systems is a default setting in snort.conf -- Double check that, maybe set port 80 to both. Additionally, look into the stream_assembly rule option, and integrate it into your rule to ensure that TCP streams are being reassembled.
> 
> http://manual.snort.org/node33.html#SECTION004621000000000000000
> 
> In regards to ip fragmentation, try changing frag3 back to the defaults and see what happens.
> 
> Try running a packet capture (i.e. use snort, wireshark, tshark or tcpdump) and get a pcap on the interface snort is listening on to ensure the traffic is being dropped/modified somewhere in transit -- you need to verify what your snort sensor is seeing.
> 
> Hope this helps,
> 
> -Tony
> 
> On Thu, Aug 23, 2012 at 2:55 AM, Emeka Agu <mainmen1985 at ...11827...> wrote:
> Hi there, I've created some code in Scapy to create a successful 3WH and then push a segmented keyword (/root/hacked) over 3 packets.
> 
> I also created these three rules in snort (I know the rule with no flow direction set is pointless, but I needed it to confirm my findings)
> 
> 1) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP”; content:”/root/hacked”; nocase; sid:11112;)
> 
>  
> 
> 2) alert ip any any -> $HOME_NET  80 (msg:”Testing IP Frag”; content:”/root/hacked”; nocase; sid:11113;)
> 
>  
> 
> 3) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP Flow”; flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;)
> 
> 
> 
> But none of them are alerted when I send the packets. Wireshark manages to see the packets and when I select Follow TCP Stream, and it displays the content in full. 
> 
> 
> 
> IP tables has been turned off too I tested with an earlier evasion attempt just using a fragmented packet where it split the keyword into "/roo" and "t/hacked" and  Snort detected it. I used exactly the same destination and source ports, same IP source and destination, too.
> 
> 
> 
> So I am presuming it's something to do with my snort.conf file. I've left most of the options as default, I just changed the policies to linux, as I am using Backtrack as the Snort IDS
> 
> 
> 
> Can anyone give me any guidance please?
> 
> 
> Cheers,
> 
> 
> 
> Emeka
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> when does reality end? when does fantasy begin?
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120826/26b213ad/attachment.html>


More information about the Snort-users mailing list