Re: Verified evasion in Snort

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Verified evasion in Snort
From: mwatchinski@xxxxxxxxxxxxxx
Date: 1 Feb 2006 21:22:01 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This and other target base fragmentation evasions are the reason we re-wrote 
the fragmentation engine in Snort.

If you look at Judy Novak's Frag3 Development paper, Snort's latest 
fragmentation engine (frag3) supports target-based fragmentation policies for 
overlaps, ttl evasions, and timeouts. This can be configured on a per IP basis 
to allow exact emulation of how the end host handles fragmentation reassembly.

Here is a sample configuration that could be used for frag3. This configuration 
would handle the evasion outlined in the advisory.  This configuration is based 
on the 5 second timeout used in the PoC code provided.

        preprocessor frag3_engine: policy first \
        bind_to 10.2.1.0/24 \
        timeout 5 \
        detect_anomalies

>From our testing, Windows XP actually has a 1 minute timeout for fragments. 
>The actual configuration to handle this evasion would be the following:

        preprocessor frag3_engine: policy first \
        bind_to 10.2.1.0/24 \
        timeout 60 \
        detect_anomalies

For the VRT's detailed analysis of the PoC tool and the advisory please see:

http://www.snort.org/rules/docs/vrt/evasion_snort_v233.html


Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

Prev by Date: Re: MyCO multiple vulnerabilities
Next by Date: FreeBSD Security Advisory FreeBSD-SA-06:08.sack
Previous by thread: Re: Verified evasion in Snort
Next by thread: Re: Re: Verified evasion in Snort
Index(es):
- Date
- Thread