Re: sidestep

From: Brian (bmc_at_snort.org)
Date: 05/04/03

  • Next message: Judy Novak: "Re: sidestep"
    Date: Sun, 4 May 2003 13:08:10 -0400
    To: Jill Tovey <jill.tovey@bigbluedoor.com>
    
    

    On Tue, Apr 29, 2003 at 01:28:54PM +0100, Jill Tovey wrote:
    > [**] RPC portmap listing [**]
    > 04/29-12:57:58.607580 192.168.0.10:1471 -> 192.168.0.2:111
    > TCP TTL:128 TOS:0x0 ID:10424 IpLen:20 DgmLen:240 DF
    > ***AP*** Seq: 0x19B53290 Ack: 0xB60B1018 Win: 0x4470 TcpLen: 20
    > 80 00 00 28 00 00 00 00 00 00 00 00 00 00 00 02 ...(............
    > 00 01 86 A0 00 00 00 02 00 00 00 04 00 00 00 00 ................
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 01 00 00 00 00 01 00 00 00 00 01 02 00 00 00 01 ................
    > 00 00 00 00 01 01 00 00 00 01 86 00 00 00 01 A0 ................
    > 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................
    > 00 00 01 02 00 00 00 01 00 00 00 00 01 00 00 00 ................
    > 00 01 00 00 00 00 01 04 00 00 00 01 00 00 00 00 ................
    > 01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 ................
    > 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 ................
    > 00 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 ................
    > 00 00 01 00 00 00 00 01 00 00 00 00 01 00 00 00 ................
    > 00 01 00 80 00 00 01 00 ........
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    > Anyway, as you can see the packet data is very different, but the first
    > 44 bytes are the same, this is probably why snort is detecting the
    > attack.
    > So would anyone like to attempt an explanation as to how this tries to
    > evade snort?

    You are looking at the decoded version of the packet. Right now, the
    rpc decoder inside of snort decodes on top of the original packet
    instead of writing the decoded version into a temporary buffer.

    -brian

    -------------------------------------------------------------------------------
    Can you respond to attacks based on attack type, severity, source IP,
    destination IP, number of times attacked, or the time of day an attack
    occurs? No?
    No wonder why you're swamped with false positives!
    Download a free 15-day trial of Border Guard and watch your false
    positives disappear.

    http://www.securityfocus.com/StillSecure-focus-ids2
    -------------------------------------------------------------------------------


  • Next message: Judy Novak: "Re: sidestep"

    Relevant Pages

    • [NEWS] GnuPG and GnuPG Clients Unsigned Data Injection Vulnerability
      ... GnuPG and GnuPG Clients Unsigned Data Injection Vulnerability ... directly using GnuPG from the command line may be fooled by this attack. ... A packet is a chunk of data that has a tag specifying ... Symmetrical Encryption: ...
      (Securiteam)
    • Re: Snort + (OpenBSD or Linux)
      ... Snort + (OpenBSD or Linux) ... on packet analysis. ...
      (Focus-IDS)
    • RE: DoS/DDoS Attack
      ... We are now looking into a HA/LB setup of the IPS 5500. ... The attack lasted about ... my favorite rate-based IPS box is Top Layer. ... >header to the packet you're sending, then the kernel just place the packet ...
      (Pen-Test)
    • [Full-Disclosure] RE: Breaking the checksum (a new TCP/IP blind data injection technique)
      ... Capturing a packet isn't ... > downgraded the feasibility of the attack ... fragmentation to start ... checksum remains ...
      (Full-Disclosure)
    • [NEWS] Snort TCP Stream Reassembly Integer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Snort is a very popular open source network intrusion detection system. ... A workaround for this bug is to disable the TCP stream reassembly module. ... packets with the free command line packet creating utility called hping ...
      (Securiteam)