[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[stalk:01257] Snort $B$G$NBP:v(B Re: FYI:fragroute $B$,(BZDNN $B$G>R2p$5$l$F$$$^$9(B

To: security-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [stalk:01257] Snort $B$G$NBP:v(B Re: FYI:fragroute $B$,(BZDNN $B$G>R2p$5$l$F$$$^$9(B
From: "shikap@xxxxxxxxxxxx" <shikap@xxxxxxxxxxxx>
Date: Wed, 24 Apr 2002 11:28:34 +0900

(B (B $B$7$+#P$G$9!#(B (B (BSnort$B$,(Bfragroute$BBP:vHG$r2>%j%j!<%9$7$^$7$?!#(B (B (Bhttp://www.snort.org/dl/snapshots/snort-stable-snapshot.tar.gz (B $B$^$?!"(Bsnort-1.8.7$B$N%j%j!<%9$K8~$1$F>e5-%9%J%C%W%7%g%C%H$N5!G=$r(B $B%P%C%/%]!<%HCf$N$h$&$G$9!#(B (B $B$*5^$.$NJ}$O(Bstable$B$r!"5^$$$G$J$$J}$O(B1.8.7$BBT$A!"$H$$$&$H$3$m$G$7$g$&$+!#(B (B $BJ8Kv$K!"%3%_%C%?!<$N(BChris Green$B;a$N!VBP:v$7$?$h!W%a!<%k$r$D$1$F$*$-$^$9!#(B $B!t$3$l$r8+$k$H(Bsnort1.8.6$B$,$I$&$$$&%Q%?!<%s$GK]O.$5$l$F$7$^$&$+$o$+$j$^$9!#(B $B!t!tD9$/$J$C$F$4$a$s$J$5$$!d(BAll m(__)m (B $B$$$8$g!#(B (B (BAt 4:52 PM +0900 02.4.22, shikap@xxxxxxxxxxxx wrote: (B>$B$7$+#P$G$9!#(B (B> (B> (B>At 5:38 AM +0900 02.4.22, Kensuke Nezu wrote: (B>>ZDNN$B$G$b>R2p$5$l$^$7$?!#(B (B>>$B!z!V0- (B>>http://www.zdnet.co.jp/news/0204/20/b_0419_07.html (B> (B>$B$h$j>\:Y$JJ8>O$O$3$A$i!#(B (B>http://www.zdnet.co.jp/news/0204/22/e_hacker.html (B> (B>$B%X%C%I%i%$%s$NJ}$O$A$g$C$H8m2r$r>7$-$d$9$$J8>O$+$b$7$l$J$$$G$9$M!#(B (B>$B>\:Y$JJ}$O$b$&>/$7$D$C$3$s$@OC$,=q$$$F$"$j$^$9!#(B (B> (B>$B$?$@!"2?$G:#:"$K$J$C$F$3$&;}$A>e$2$i$l$F$$$k$N$+$J$!!#(B (B>$B$9$G$K$=$N$h$&$J%D!<%k$,B8:_$7$F$$$?$3$H$r(BTERASHIMA$B$5$s$,=q$+$l$F(B (B>$B$$$k$o$1$G$9$7$M!#(B (B>$B!t$&!<$s!"$d$C$Q$j?75l;H$C$F$_$J$-$c$@$a$+$J$!!&!&!&;~4V$,!&!&!&(B (B> (B>$B$5$F!"(Bsnort$B$O0lIt@H (B>$BK\Ev$K$[$+$N(BIDS$B$O1F6A$r (B>$B!t$@$l$+$[$+$N(BIDS$B%f!<%6$K;n$7$FM_$7$$!"$H8@$C$F$_$k%F%9%H!#(B (B>$B!t$A$J$_$K(Bsnort$B$NBP1~$O:#=5Cf!"$J$s$FH/8@$b$"$j$^$9$M!d>\:YHG$N$[$&(B (B> (B>$B$$$8$g!#(B (B $B$3$3$+$iJ8Kv$^$G(BGreen$B;a$N%]%9%H$7$?%a!<%k$G$9!#(B (B (BTo: snort-devel@xxxxxxxxxxxxxxxxxxxxx, snort-users@xxxxxxxxxxxxxxxxxxxxx (BFrom: Chris Green <cmg@xxxxxxxxxxxxxx> (BLines: 117 (BSubject: [Snort-devel] fragroute related fixes need testing on real networks (BSender: snort-devel-admin@xxxxxxxxxxxxxxxxxxxxx (BX-BeenThere: snort-devel@xxxxxxxxxxxxxxxxxxxxx (BX-Mailman-Version: 2.0.9-sf.net (BList-Help: <mailto:snort-devel-request@xxxxxxxxxxxxxxxxxxxxx?subject=help> (BList-Post: <mailto:snort-devel@xxxxxxxxxxxxxxxxxxxxx> (BList-Subscribe: (B<https://lists.sourceforge.net/lists/listinfo/snort-devel>,<mailto:snort-devel-request@xxxxxxxxxxxxxxxxxxxxx?subject=subscribe> (BList-Id: Gathering place for Snort developers (B<snort-devel.lists.sourceforge.net> (BList-Unsubscribe: (B<https://lists.sourceforge.net/lists/listinfo/snort-devel>,<mailto:snort-devel-request@xxxxxxxxxxxxxxxxxxxxx?subject=unsubscribe> (BList-Archive: <http://www.geocrawler.com/redir-sf.php3?list=snort-devel> (BX-Original-Date: Mon, 22 Apr 2002 19:34:58 -0400 (BDate: Mon, 22 Apr 2002 19:34:58 -0400 (B (BHey folks, (B (BI just committed a lot of changes today to snort's HEAD branch in CVS (Bto deal with the test cases iterated in fragroute. (B (BTo get the full benefit of these changes: (B (Bpreprocessor frag2: detect_state_problems (Bprocessessor stream4: detect_state_problems (B (BThese need a lot of testing and there may very well be more problems (Blaying around. (B (BIf things go well, I'll backport the changes to snort-stable and (Brelease a 1.8.7 (B (BIf you find a new set of options that evade snort, drop me a line and (BI'll work to fix and/or detect them and give you full credit. (B (BThe bugtraq post was the first I'd seen the README.snort so let me (Bjust say that I spent a lot of Thursday superlate-> Today thinking (Babout the problems while trying to get work done. (B (BAnyway, fragroute is a neat tool and does a lot of the stuff that has (Bbeen on the todo list to check. Ahh only hours in the day. (B (B> (B> 1. older TCP retransmission chaff (snort's TCP segment reassembly (B> seems to always favor newer data, even for properlby sequenced (B> received data): (B> (B> tcp_seg 1 (B> tcp_chaff rexmit (B> order random (B (B (BShould be fixed and if we see retransmissions of older data that (Bdiffers from what we already have, we generate an alert and throw away (Bthe packet (B (B> (B> 2. forward TCP segmentation overlap, favoring newer data (both Windows (B> and Unix operate this way, in contrast to Ptacek and Newsham's (B> results): (B> (B> tcp_seg 1 new (B (BFixed and generates alerts on packets that are part of a stream that (Bhas already been reassembled. (B (B> 3. chaff TCP segments with older TCP timestamp options forcing PAWS (B> elimination: (B> (B> tcp_seg 1 (B> tcp_chaff paws (B> order random (B (BThis should be relooked at but after making the first two changes, (Bthis one was picked up very loudly. (B (B> (B> 4. older IP fragment duplicates (snort's IP fragment reassembly seems (B> to always favor newer data, even for properly sequenced received (B> data): (B> (B> ip_frag 8 (B> ip_chaff dup (B> order random (B> (B (BAlert on frags with option data and suck them all away. (B (BPhilosophical question: Should we ignore frags we didn't see the (Bfirst fragment of? (B (B> (B> 5. IP duplicate fragment chaff with bad options: (B> (B> ip_frag 8 (B> ip_chaff opt (B> order random (B> (B (BOnce the opts were tossed, things worked fine (B (B> (B> 6. either TCP or IP chaffing with short TTLs (that expire before (B> reaching the end host, but pass by the monitor): (B> (B> ip_frag 8 (B> ip_ttl 11 (B> ip_chaff 10 (B> order random (B> (B> tcp_seg 1 (B> ip_ttl 11 (B> tcp_chaff 10 (B> order random (B> (B (BTCP stream stuff already had the min_ttl option to detect this attack (Bso that it will throw away anything underneath that. (B (BI added this option to frag2 (B (BAlso, there is a ttl_limit option to both. Basically, this will alert (Bon anything that is different by more than a certain limit (B (BThe default is 5 picked off the cuff. Know of any papers that measure (Bthe avg and std deviation of TTLs on normal internet traffic across a (Blarge sample and I'll be your buddy. (B (BThanks for your help and patience, (BChris (B-- (BChris Green <cmg@xxxxxxxxxxxxxx> (BFame may be fleeting but obscurity is forever. (B (B (B_______________________________________________ (BSnort-devel mailing list (BSnort-devel@xxxxxxxxxxxxxxxxxxxxx (Bhttps://lists.sourceforge.net/lists/listinfo/snort-devel (B-- (B- $B$3$N%a%$%j%s%0%j%9%H$K4X$9$k (B- <security-talk@xxxxxxxxxx>$B$^$G$*CN$i$;$/$@$5$$(B (B-- (B------------------------------------------------------------------------ $B!!!!(B $B!!!!!!!!!!!!!!!!$7$CCN$i$J$$4V$KA}$($F$k$%!*(B $B!!(Bhttp://toolbar.www.infoseek.co.jp/Skin?pg=skin_12_if.html&svx=971122

References:
- [stalk:01226] fragroute(IDS $B%F%9%?(B$B!
  - From: shikap@xxxxxxxxxxxx
- [stalk:01252] FYI:fragroute $B$,(B ZDNN $B$G>R2p$5$l(B$B$F$$$^$9(B
  - From: Kensuke Nezu
- [stalk:01255] Re: FYI:fragroute $B$,(B ZDNN $B$G>R2p$5$l$F$$$^$9(B
  - From: shikap@xxxxxxxxxxxx

Prev by Date: [stalk:01256] Re: $BBg5,LO4D6-(B$B2<$G$N%&%#(B$B%k%9BP:v(B
Next by Date: [stalk:01258] Re: AppShield (Re: $B%/%m%9%5%$%H%9%/%j%W%F%#%s%0$N(J$B8!=P(B)
Previous by thread: [stalk:01255] Re: FYI:fragroute $B$,(B ZDNN $B$G>R2p$5$l$F$$$^$9(B
Next by thread: [stalk:01233] $B!X(B JP1 $B?7@=IJ@bL@2q!Y$NJs9p(B
Index(es):
- Date
- Thread

[stalk:01257] Snort $B$G$NBP:v(B Re: FYI:fragroute $B$,(BZDNN $B$G>R2p$5$l$F$$$^$9(B

[stalk:01257] Snort $B$G$NBP:v(B Re: FYI:fragroute $B$,(BZDNN $B$G>R2p$5$l$F$$$^$9(B