|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Abe L. Getchell (abegetchell_at_qx.net)
Date: Tue Jan 21 2003 - 13:02:50 CST
Greetings all,
I came up with this patch for Snort (version 1.9.0) that will
generate a random TTL (not below 64) for both TCP resets and ICMP error
messages sent to clients by FlexResp when it sees a packet it has been
told to respond too. The TTL is randomized every time Snort is started
during the process of precaching the spoofed packets. The randomization
is done at this phase to minimize the amount of overhead put on the
sensor and so that wildly randomized TTL's in each TCP reset and ICMP
error message packet doesn't become a signature that you're using Snort
as an IDS. I submitted this to the snort-devel list, hopefully it will
be merged into the code-base. Use at your own risk... let me know if
you have any questions!
Thanks,
Abe
-- Abe L. Getchell Security Engineer abegetchellqx.net
- application/octet-stream attachment: flexresp_TTL_fix.diff
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]