[Bro-Dev] [JIRA] (BIT-1062) Issues fragmented packets and BRO

john blaze (JIRA) Wed, 21 Aug 2013 10:30:28 -0700

john blaze created BIT-1062:
-------------------------------

             Summary: Issues fragmented packets and BRO
                 Key: BIT-1062
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1062
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.1
         Environment: Ubuntu/Debian
            Reporter: john blaze
         Attachments: fraggy_out_EVILSTUFF, more_frag.pcap


I was doing some testing with fragmented attacks trying to bypass IDS sensors 
and noticed that BRO does not identify/populate the SRC & DST IP's in the weird 
log and other fields such as the URI in the http.log when doing stuff like:

>>> f=fragment(IP(dst="80.69.77.211")/ICMP()/("X"*50), fragsize=10)
>>> for frag in f:
...  send(frag)


1377062338.222065       -       -       -       -       -       
excessively_small_fragment      -       F       bro


Also,.  I fragmented a GET /EVILSTUFF HTTP request,. and noticed:

1377056289.770819       -       -       -       -       -       
excessively_small_fragment      -       F       bro
1377056289.787032       -       -       -       -       -       
fragment_inconsistency  -       F       bro
1377056290.141267       iL6Ki3ncjV1     192.168.1.5     17384   192.168.1.16    
80      unmatched_HTTP_reply    -       F       bro




PCAPS are attached.



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1062) Issues fragmented packets and BRO

Reply via email to