When performing this test I found that Snort would detect a SYN,FIN
packet provided that the ECN echo packet was not set in the same
packet.
Problem: With the detect_scan option set in the stream4 preprocessor
Snort would not detect these packets.
Impact: Snort will not catch certain scans or attacks using these
TCP/IP flags.
Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use
Snort-1.9.1 to detect these packets, one would have to enable the
portscan preprocessor or delete the detect_scans option in the stream
4 preprocessor.
I would like to thank Chris Green of Snort for responding quickly to
this problem.
Thanks,
Toby
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Hash: SHA1
Problem: Snort-1.9.1 using a default snort.conf configuration does
not detect certain crafted packets.
Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN
echo bits set. The following is an example of a packet:
12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok]
1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40)
0x0000 4500 0028 13ec 0000 6806 28db 0a01 0106
E..(....h.(.....
0x0010 0a01 0102 474a 5420 4640 0759 0bec 8b73
....GJT.F (at) .Y.. (dot) s [email concealed]
0x0020 5043 0200 1735 0000 PC...5..
Testing: In order to set this I used hping2 and the following
switches:
hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address'
When performing this test I found that Snort would detect a SYN,FIN
packet provided that the ECN echo packet was not set in the same
packet.
Problem: With the detect_scan option set in the stream4 preprocessor
Snort would not detect these packets.
Impact: Snort will not catch certain scans or attacks using these
TCP/IP flags.
Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use
Snort-1.9.1 to detect these packets, one would have to enable the
portscan preprocessor or delete the detect_scans option in the stream
4 preprocessor.
I would like to thank Chris Green of Snort for responding quickly to
this problem.
Thanks,
Toby
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPoJs/VLhpjRJgUE5EQL8LwCg3eQVZYRgOtQOCZInFeZZDkh3JIUAoJAk
Bzgznvqfb7PhO5HML+/AXw2T
=BYxI
-----END PGP SIGNATURE-----
[ reply ]