lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060201212201.2613.qmail@securityfocus.com>
Date: 1 Feb 2006 21:22:01 -0000
From: mwatchinski@...rcefire.com
To: bugtraq@...urityfocus.com
Subject: Re: Verified evasion in Snort


This and other target base fragmentation evasions are the reason we re-wrote the fragmentation engine in Snort.

If you look at Judy Novak's Frag3 Development paper, Snort's latest fragmentation engine (frag3) supports target-based fragmentation policies for overlaps, ttl evasions, and timeouts. This can be configured on a per IP basis to allow exact emulation of how the end host handles fragmentation reassembly.

Here is a sample configuration that could be used for frag3. This configuration would handle the evasion outlined in the advisory.  This configuration is based on the 5 second timeout used in the PoC code provided.

	preprocessor frag3_engine: policy first \
	bind_to 10.2.1.0/24 \
	timeout 5 \
	detect_anomalies

>From our testing, Windows XP actually has a 1 minute timeout for fragments. The actual configuration to handle this evasion would be the following:

	preprocessor frag3_engine: policy first \
	bind_to 10.2.1.0/24 \
	timeout 60 \
	detect_anomalies

For the VRT's detailed analysis of the PoC tool and the advisory please see:

http://www.snort.org/rules/docs/vrt/evasion_snort_v233.html


Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ