-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Problem: Snort-1.9.1 using a default snort.conf configuration does not detect certain crafted packets. Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN echo bits set. The following is an example of a packet: 12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok] 1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40) 0x0000 4500 0028 13ec 0000 6806 28db 0a01 0106 E..(....h.(..... 0x0010 0a01 0102 474a 5420 4640 0759 0bec 8b73 ....GJT.F@.Y...s 0x0020 5043 0200 1735 0000 PC...5.. Testing: In order to set this I used hping2 and the following switches: hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address' When performing this test I found that Snort would detect a SYN,FIN packet provided that the ECN echo packet was not set in the same packet. Problem: With the detect_scan option set in the stream4 preprocessor Snort would not detect these packets. Impact: Snort will not catch certain scans or attacks using these TCP/IP flags. Solution: Upgrade to Snort-2.0.0rc1 (www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use Snort-1.9.1 to detect these packets, one would have to enable the portscan preprocessor or delete the detect_scans option in the stream 4 preprocessor. I would like to thank Chris Green of Snort for responding quickly to this problem. Thanks, Toby -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPoJs/VLhpjRJgUE5EQL8LwCg3eQVZYRgOtQOCZInFeZZDkh3JIUAoJAk Bzgznvqfb7PhO5HML+/AXw2T =BYxI -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 17:16:54 PST