<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Verified evasion in Snort



<pre>
There seems to be some confusion about the fragmentation IDS evasion.  We've 
observed 
fragmentation timeouts on windows from 5 seconds to 90 seconds depending on the 
software installed and random chance.  Here are raw dumps from an evasion.  

The mistake Judy Novak made in her analysis was in not recalculating the delay 
between
the first fragment and the other two fragments.  If it is too short the target 
will reassemble
the first two fragments and find an invalid checksum discarding the packet.  No 
ICMP 
response will be sent.

Some experimentation will have to be done to find the correct timeout.  It can 
be done
remotely by increasing the time between two good fragments until a reply isn't 
sent.
(Windows boxes don't seem to send out a frag time exceeded on anything other 
than
the first fragment.)

Here's a packet dump to verify that Snort's frag2 preprocessor is working:

16:04:18.155735 IP (tos 0x0, ttl  64, id 15537, offset 0, flags [+], proto: 
ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 
83, length 8
        0x0000:  0011 2f7e db0b 000d 93b4 d31a 0800 4500  ../~..........E.
        0x0010:  001c 3cb1 2000 4001 0054 0a04 04d9 0a04  ..<...@..T......
        0x0020:  04fc 0800 5446 8236 0053 5555 5555 5555  ....TF.6.SUUUUUU
        0x0030:  5555 5555 5555 5555 5555 5555            UUUUUUUUUUUU
16:04:18.178271 IP (tos 0x0, ttl  64, id 15537, offset 8, flags [none], proto: 
ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
        0x0000:  0011 2f7e db0b 000d 93b4 d31a 0800 4500  ../~..........E.
        0x0010:  001c 3cb1 0001 4001 2053 0a04 04d9 0a04  ..<...@..S......
        0x0020:  04fc 4241 4453 5455 4646 5555 5555 5555  ..BADSTUFFUUUUUU
        0x0030:  5555 5555 5555 5555 5555 5555            UUUUUUUUUUUU
16:04:18.178325 IP (tos 0x0, ttl 128, id 57573, offset 0, flags [none], proto: 
ICMP (1), length: 36) 10.4.4.252 > 10.4.4.217: ICMP echo reply, id 33334, seq 
83, length 16
        0x0000:  000d 93b4 d31a 0011 2f7e db0b 0800 4500  ......../~....E.
        0x0010:  0024 e0e5 0000 8001 3c17 0a04 04fc 0a04  .$......<.......
        0x0020:  04d9 0000 5c46 8236 0053 4241 4453 5455  ....\F.6.SBADSTU
        0x0030:  4646 0000 0000 0000 0000 0000            FF..........


[**] [1:384:5] Found BadStuff [**]
[Classification: Misc activity] [Priority: 3] 
02/02-16:04:18.178271 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:15537 IpLen:20 DgmLen:36
Type:8  Code:0  ID:33334   Seq:83  ECHO

[**] [1:384:5] Found Generic ICMP Packet [**]
[Classification: Misc activity] [Priority: 3] 
02/02-16:04:18.178271 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:15537 IpLen:20 DgmLen:36
Type:8  Code:0  ID:33334   Seq:83  ECHO



With no delay snort properly reassembles the fragments and generates an alert.  
With a delay, the target doesn't reassemble, but
Snort still generates an alert.

16:01:33.951416 IP (tos 0x0, ttl  64, id 12524, offset 0, flags [+], proto: 
ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 
83, length 8
        0x0000:  0011 2f7e db0b 000d 93b4 d31a 0800 4500  ../~..........E.
        0x0010:  001c 30ec 2000 4001 0c19 0a04 04d9 0a04  ..0...@.........
        0x0020:  04fc 0800 5446 8236 0053 5555 5555 5555  ....TF.6.SUUUUUU
        0x0030:  5555 5555 5555 5555 5555 5555            UUUUUUUUUUUU
16:02:38.281468 IP (tos 0x0, ttl 128, id 57570, offset 0, flags [none], proto: 
ICMP (1), length: 56) 10.4.4.252 > 10.4.4.217: ICMP ip reassembly time 
exceeded, length 36
        IP (tos 0x0, ttl  64, id 12524, offset 0, flags [+], proto: ICMP (1), 
length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, 
length 8
        0x0000:  000d 93b4 d31a 0011 2f7e db0b 0800 4500  ......../~....E.
        0x0010:  0038 e0e2 0000 8001 3c06 0a04 04fc 0a04  .8......<.......
        0x0020:  04d9 0b01 162f 0000 0000 4500 001c 30ec  ...../....E...0.
        0x0030:  2000 4001 0c19 0a04 04d9 0a04 04fc 0800  ..@.............
        0x0040:  5446 8236 0053                           TF.6.S
16:03:04.977353 IP (tos 0x0, ttl  64, id 12524, offset 8, flags [none], proto: 
ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
        0x0000:  0011 2f7e db0b 000d 93b4 d31a 0800 4500  ../~..........E.
        0x0010:  001c 30ec 0001 4001 2c18 0a04 04d9 0a04  ..0...@.,.......
        0x0020:  04fc 4241 4453 5455 4646 5555 5555 5555  ..BADSTUFFUUUUUU
        0x0030:  5555 5555 5555 5555 5555 5555            UUUUUUUUUUUU

[**] [1:384:5] Found BadStuff [**]
[Classification: Misc activity] [Priority: 3] 
02/02-16:03:04.977353 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:12524 IpLen:20 DgmLen:36
Type:8  Code:0  ID:33334   Seq:83  ECHO

[**] [1:384:5] Found Generic ICMP Packet [**]
[Classification: Misc activity] [Priority: 3] 
02/02-16:03:04.977353 10.4.4.217 -> 10.4.4.252
ICMP TTL:64 TOS:0x0 ID:12524 IpLen:20 DgmLen:36
Type:8  Code:0  ID:33334   Seq:83  ECHO


With a delay of 91 seconds, the IDS evasion works and we get back a properly 
reassembled ICMP reply.

15:57:17.846828 IP (tos 0x0, ttl  64, id 12603, offset 8, flags [none], proto: 
ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
        0x0000:  0011 2f7e db0b 000d 93b4 d31a 0800 4500  ../~..........E.
        0x0010:  001c 313b 0001 4001 2bc9 0a04 04d9 0a04  ..1;..@.+.......
        0x0020:  04fc 474f 4453 5455 4646 5555 5555 5555  ..GODSTUFFUUUUUU
        0x0030:  5555 5555 5555 5555 5555 5555            UUUUUUUUUUUU
15:58:48.873073 IP (tos 0x0, ttl  64, id 12603, offset 0, flags [+], proto: 
ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 
83, length 8
        0x0000:  0011 2f7e db0b 000d 93b4 d31a 0800 4500  ../~..........E.
        0x0010:  001c 313b 2000 4001 0bca 0a04 04d9 0a04  ..1;..@.........
        0x0020:  04fc 0800 5446 8236 0053 5555 5555 5555  ....TF.6.SUUUUUU
        0x0030:  5555 5555 5555 5555 5555 5555            UUUUUUUUUUUU
15:58:48.892586 IP (tos 0x0, ttl  64, id 12603, offset 8, flags [none], proto: 
ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp
        0x0000:  0011 2f7e db0b 000d 93b4 d31a 0800 4500  ../~..........E.
        0x0010:  001c 313b 0001 4001 2bc9 0a04 04d9 0a04  ..1;..@.+.......
        0x0020:  04fc 4241 4453 5455 4646 5555 5555 5555  ..BADSTUFFUUUUUU
        0x0030:  5555 5555 5555 5555 5555 5555            UUUUUUUUUUUU
15:58:48.892644 IP (tos 0x0, ttl 128, id 57559, offset 0, flags [none], proto: 
ICMP (1), length: 36) 10.4.4.252 > 10.4.4.217: ICMP echo reply, id 33334, seq 
83, length 16
        0x0000:  000d 93b4 d31a 0011 2f7e db0b 0800 4500  ......../~....E.
        0x0010:  0024 e0d7 0000 8001 3c25 0a04 04fc 0a04  .$......<%......
        0x0020:  04d9 0000 5c46 8236 0053 4241 4453 5455  ....\F.6.SBADSTU
        0x0030:  4646 0000 0000 0000 0000 0000            FF..........


There were no snort alerts.  We haven't tried frag3, but fragments generally 
aren't delayed in the wild so an 
alert on all fragments more than a second apart would probably be effective.


Jason Larsen
Mike Milvich

</pre>