|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Verified evasion in Snort
mwatchinski
sourcefire.com
Date: Wed Feb 01 2006 - 15:22:01 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This and other target base fragmentation evasions are the reason we re-wrote the fragmentation engine in Snort.
If you look at Judy Novak's Frag3 Development paper, Snort's latest fragmentation engine (frag3) supports target-based fragmentation policies for overlaps, ttl evasions, and timeouts. This can be configured on a per IP basis to allow exact emulation of how the end host handles fragmentation reassembly.
Here is a sample configuration that could be used for frag3. This configuration would handle the evasion outlined in the advisory. This configuration is based on the 5 second timeout used in the PoC code provided.
preprocessor frag3_engine: policy first \
bind_to 10.2.1.0/24 \
timeout 5 \
detect_anomalies
From our testing, Windows XP actually has a 1 minute timeout for fragments. The actual configuration to handle this evasion would be the following:
preprocessor frag3_engine: policy first \
bind_to 10.2.1.0/24 \
timeout 60 \
detect_anomalies
For the VRT's detailed analysis of the PoC tool and the advisory please see:
http://www.snort.org/rules/docs/vrt/evasion_snort_v233.html
Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]