Snort mailing list archives
What do I need to configure in snort.conf to protect against segmentation attacks?
From: Emeka Agu <mainmen1985 () gmail com>
Date: Thu, 23 Aug 2012 07:55:43 +0100
Hi there, I've created some code in Scapy to create a successful 3WH and then push a segmented keyword (/root/hacked) over 3 packets. I also created these three rules in snort (I know the rule with no flow direction set is pointless, but I needed it to confirm my findings) 1) alert tcp any any -> $HOME_NET 80 (msg:”Testing TCP”; content:”/root/hacked”; nocase; sid:11112;) 2) alert ip any any -> $HOME_NET 80 (msg:”Testing IP Frag”; content:”/root/hacked”; nocase; sid:11113;) 3) alert tcp any any -> $HOME_NET 80 (msg:”Testing TCP Flow”; flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;) But none of them are alerted when I send the packets. Wireshark manages to see the packets and when I select Follow TCP Stream, and it displays the content in full. IP tables has been turned off too I tested with an earlier evasion attempt just using a fragmented packet where it split the keyword into "/roo" and "t/hacked" and Snort detected it. I used exactly the same destination and source ports, same IP source and destination, too. So I am presuming it's something to do with my snort.conf file. I've left most of the options as default, I just changed the policies to linux, as I am using Backtrack as the Snort IDS Can anyone give me any guidance please? Cheers, Emeka
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- What do I need to configure in snort.conf to protect against segmentation attacks? Emeka Agu (Aug 22)
- Message not available
- Re: What do I need to configure in snort.conf to protect against segmentation attacks? Emeka Agu (Aug 26)
- Re: What do I need to configure in snort.conf to protect against segmentation attacks? Gmail Personal (Aug 26)
- Re: What do I need to configure in snort.conf to protect against segmentation attacks? Emeka Agu (Aug 27)
- Re: What do I need to configure in snort.conf to protect against segmentation attacks? Joel Esler (Aug 27)
- Re: What do I need to configure in snort.conf to protect against segmentation attacks? Joel Esler (Aug 27)
- Re: What do I need to configure in snort.conf to protect against segmentation attacks? Emeka Agu (Aug 26)
- Message not available