• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

Makefile.amH A D15-Apr-2002252 83

Makefile.inH A D15-Apr-20024.4 KiB181128

README.snortH A D15-Apr-20021.1 KiB5538

base-1H A D23-Jan-20026 21

frag-1H A D23-Jan-200216 32

frag-2H A D23-Jan-200217 32

frag-3H A D23-Jan-200229 43

frag-4H A D27-Jan-200229 43

frag-5H A D27-Jan-200242 54

frag-6H A D23-Jan-200230 43

frag-7-unixH A D23-Jan-200221 32

frag-7-win32H A D23-Jan-200221 32

ins-2H A D23-Jan-200232 43

ins-3H A D23-Jan-200231 43

tcbc-2H A D23-Jan-200230 43

tcp-3H A D27-Jan-200229 43

tcp-5H A D23-Jan-200220 32

tcp-7H A D23-Jan-200230 43

tcp-9H A D23-Jan-200229 43

README.snort

1
2attacks against snort-1.8.3, reported Jan 28, 2002:
3
41. older TCP retransmission chaff (snort's TCP segment reassembly
5   seems to always favor newer data, even for properly sequenced
6   received data):
7
8	tcp_seg 1
9	tcp_chaff rexmit
10	order random
11
122. forward TCP segmentation overlap, favoring newer data (both Windows
13   and Unix operate this way, in contrast to Ptacek and Newsham's
14   results):
15
16	tcp_seg 1 new
17
183. chaff TCP segments with older TCP timestamp options forcing PAWS
19   elimination:
20
21	tcp_seg 1
22	tcp_chaff paws
23	order random
24
254. older IP fragment duplicates (snort's IP fragment reassembly seems
26   to always favor newer data, even for properly sequenced received
27   data):
28
29	ip_frag 8
30	ip_chaff dup
31	order random
32
335. IP duplicate fragment chaff with bad options:
34
35	ip_frag 8
36	ip_chaff opt
37	order random
38
396. either TCP or IP chaffing with short TTLs (that expire before
40   reaching the end host, but pass by the monitor):
41
42	ip_frag 8
43	ip_ttl 11
44	ip_chaff 10
45	order random
46
47	tcp_seg 1
48	ip_ttl 11
49	tcp_chaff 10
50	order random
51
52there are probably timing attacks against snort's reassembly possible
53as well, but i haven't played with it enough to see.
54
55