Re: Problem in snort 1.3

[roesch () clark net (Martin Roesch)]

Ron Gula wrote:
> True, but someone source-routing a PHF attack or running it through
> fragrouter is a different event than just the PHF attack. If someone
> configures their IDS to ignore certain types of attacks, then all
> an attacker has to do to avoid the IDS is to make sure that portion
> of the attack triggers first and is subsequently ignored. With Dragon,
> every packet or data stream can have multiple events associated with
> it.

Snort's detection engine "exit on first match" strategy was
intentionally implemented that way.  When an attack comes in that is
recognized by an alert rule which would potentially set off other
alerts, I figured that it really doesn't matter if you flag every alert
that applies.  The packet is already going to be logged and an alarm is
going to be set, when the admin looks at the packet logs any other
information of interest will also be there in the packet dump.  This is
done as a performance matter, the faster you set off an alarm and exit,
the faster you can get to the next packet.  Obviously this is very
important in a system that processes all of its packets in a serial
fashion like Snort does.

Doing a source routed PHF attack won't make any difference, the PHF rule
will generate an alert and when the admin examines the packet log it
will be obvious that the packet was source routed.  Snort is stateless,
so it considers each packet individually and doesn't ignore subsequent
packets in a session just because a previous packet set off an alert.  

Snort will miss just about everything run through fragrouter in its
current incarnation (except for the fact that tiny fragments are coming
in), so that's not much of an issue currently. :)  


-- 
Martin Roesch
roesch () clark net
http://www.clark.net/~roesch