mailing list archives
Problems with Snort-1.9.1
From: "Toby Miller" <toby_miller () adelphia net>
Date: Wed, 26 Mar 2003 22:16:22 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Problem: Snort-1.9.1 using a default snort.conf configuration does
not detect certain crafted packets.
Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN
echo bits set. The following is an example of a packet:
12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok]
1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40)
0x0000 4500 0028 13ec 0000 6806 28db 0a01 0106
0x0010 0a01 0102 474a 5420 4640 0759 0bec 8b73
....GJT.F () Y s
0x0020 5043 0200 1735 0000 PC...5..
Testing: In order to set this I used hping2 and the following
hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address'
When performing this test I found that Snort would detect a SYN,FIN
packet provided that the ECN echo packet was not set in the same
Problem: With the detect_scan option set in the stream4 preprocessor
Snort would not detect these packets.
Impact: Snort will not catch certain scans or attacks using these
Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use
Snort-1.9.1 to detect these packets, one would have to enable the
portscan preprocessor or delete the detect_scans option in the stream
I would like to thank Chris Green of Snort for responding quickly to
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
- Problems with Snort-1.9.1 Toby Miller (Mar 28)