Home page logo
/

bugtraq logo Bugtraq mailing list archives

Problems with Snort-1.9.1
From: "Toby Miller" <toby_miller () adelphia net>
Date: Wed, 26 Mar 2003 22:16:22 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Problem: Snort-1.9.1 using a default snort.conf configuration does
not detect certain crafted packets.

Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN
echo bits set. The following is an example of a packet:

12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok]
1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40)
0x0000       4500 0028 13ec 0000 6806 28db 0a01 0106
E..(....h.(.....
0x0010       0a01 0102 474a 5420 4640 0759 0bec 8b73
....GJT.F ()  Y   s
0x0020       5043 0200 1735 0000                      PC...5..


Testing: In order to set this I used hping2 and the following
switches:

hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address'

When performing this test I found that Snort would detect a SYN,FIN
packet provided that the ECN echo packet was not set in the same
packet.

Problem: With the detect_scan option set in the stream4 preprocessor
Snort would not detect these packets.

Impact: Snort will not catch certain scans or attacks using these
TCP/IP flags.

Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use
Snort-1.9.1 to detect these packets, one would have to enable the
portscan preprocessor or delete the detect_scans option in the stream
4 preprocessor.

I would like to thank Chris Green of Snort for responding quickly to
this problem.

                                                                        Thanks,
                                                                        Toby

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPoJs/VLhpjRJgUE5EQL8LwCg3eQVZYRgOtQOCZInFeZZDkh3JIUAoJAk
Bzgznvqfb7PhO5HML+/AXw2T
=BYxI
-----END PGP SIGNATURE-----




  By Date           By Thread  

Current thread:
  • Problems with Snort-1.9.1 Toby Miller (Mar 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]