| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 1 Feb 2006 21:22:01 -0000 From: mwatchinski@...rcefire.com To: bugtraq@...urityfocus.com Subject: Re: Verified evasion in Snort This and other target base fragmentation evasions are the reason we re-wrote the fragmentation engine in Snort. If you look at Judy Novak's Frag3 Development paper, Snort's latest fragmentation engine (frag3) supports target-based fragmentation policies for overlaps, ttl evasions, and timeouts. This can be configured on a per IP basis to allow exact emulation of how the end host handles fragmentation reassembly. Here is a sample configuration that could be used for frag3. This configuration would handle the evasion outlined in the advisory. This configuration is based on the 5 second timeout used in the PoC code provided. preprocessor frag3_engine: policy first \ bind_to 10.2.1.0/24 \ timeout 5 \ detect_anomalies >From our testing, Windows XP actually has a 1 minute timeout for fragments. The actual configuration to handle this evasion would be the following: preprocessor frag3_engine: policy first \ bind_to 10.2.1.0/24 \ timeout 60 \ detect_anomalies For the VRT's detailed analysis of the PoC tool and the advisory please see: http://www.snort.org/rules/docs/vrt/evasion_snort_v233.html Cheers, Matthew Watchinski Director, Vulnerability Research Sourcefire, Inc.
Powered by blists - more mailing lists