1 2attacks against snort-1.8.3, reported Jan 28, 2002: 3 41. older TCP retransmission chaff (snort's TCP segment reassembly 5 seems to always favor newer data, even for properly sequenced 6 received data): 7 8 tcp_seg 1 9 tcp_chaff rexmit 10 order random 11 122. forward TCP segmentation overlap, favoring newer data (both Windows 13 and Unix operate this way, in contrast to Ptacek and Newsham's 14 results): 15 16 tcp_seg 1 new 17 183. chaff TCP segments with older TCP timestamp options forcing PAWS 19 elimination: 20 21 tcp_seg 1 22 tcp_chaff paws 23 order random 24 254. older IP fragment duplicates (snort's IP fragment reassembly seems 26 to always favor newer data, even for properly sequenced received 27 data): 28 29 ip_frag 8 30 ip_chaff dup 31 order random 32 335. IP duplicate fragment chaff with bad options: 34 35 ip_frag 8 36 ip_chaff opt 37 order random 38 396. either TCP or IP chaffing with short TTLs (that expire before 40 reaching the end host, but pass by the monitor): 41 42 ip_frag 8 43 ip_ttl 11 44 ip_chaff 10 45 order random 46 47 tcp_seg 1 48 ip_ttl 11 49 tcp_chaff 10 50 order random 51 52there are probably timing attacks against snort's reassembly possible 53as well, but i haven't played with it enough to see. 54 55