>bastion hosts. Most firewalls these days (especially Linux and OpenBSD >ones) actually do reassembly inbound. This was an interesting point ... >So in practice, the fragment level obfuscations are usually hidden/scrubbed >from internal snort sensors by the firewalls.. This is NOT true. At least the Cisco PIX and (correct me if I am wrong) Checkpoint FW-1, which together represent MOST firewalls out there, do not perform true reassembly. The PIX, for example, collects all the fragments, checks them for some basic overlaps (like TCP header overwrite) and then pass them on as they were originally fragmented. According to Lance's paper, if Checkpoint has not modified their code in FW-1 NG, roughly the same thing will happen Also, you focus on an IDS as always being behind the firewall, which is often not the case. Perhaps there are no firewalls around at all. Here are some references on FW-1: http://www.enteract.com/~lspitz/fwtable.html http://www.phoneboy.com/faq/0420.html The real issue has always been about HOW does the IDS try to reassemble frags, when it has no idea how the target would reassemble them. In every possible way? For me, it is often enough for an IDS to alarm about suspicious fragmentation events, which can be investigated by a human if enough forensics are available. But from this point, let's not go into the debate whether folks who use PIX or FW-1 also commonly use Snort ;) Regards, Jan Jan Bervar Specialist za podatkovne komunikacije, CCIE #2527 Consulting Engineer NIL Data Communications, Einspielerjeva 6, 1000 Ljubljana, Slovenia Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si
This archive was generated by hypermail 2b30 : Sat Apr 20 2002 - 13:15:29 PDT