[Bro-Dev] [JIRA] (BIT-1062) Issues fragmented packets and BRO

Mon, 09 Sep 2013 11:25:02 -0700 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14000#comment-14000
 ] 

Jon Siwek commented on BIT-1062:
--------------------------------

{quote}
I was doing some testing with fragmented attacks trying to bypass IDS sensors 
and noticed that BRO does not identify/populate the SRC & DST IP's in the weird 
log
{quote}

They're probably missing since the weird log field is a conn_id (hosts and 
ports), but flow_weirds (like what happens w/ IP fragments in this case) would 
only have available the hosts, but not ports.

Seth, would it make sense to create a dummy conn_id w/ 0/unknown for the ports 
so that hosts can at least be logged?

{quote}
... and other fields such as the URI in the http.log ...
{quote}
{quote}
Also,. I fragmented a GET /EVILSTUFF HTTP request,. and noticed:
1377056289.770819 - - - - - excessively_small_fragment - F bro
1377056289.787032 - - - - - fragment_inconsistency - F bro
1377056290.141267 iL6Ki3ncjV1 192.168.1.5 17384 192.168.1.16 80 
unmatched_HTTP_reply - F bro
{quote}

I'm not sure fragments were generated right.  They have Identification=1, 
Fragment Offset=0, the More Fragments bit set, but with different data (i.e. 
all fragments overlap).  Unless there's suggestions, I'm not sure what more can 
be done.
                
> Issues fragmented packets and BRO
> ---------------------------------
>
>                 Key: BIT-1062
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1062
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.1
>         Environment: Ubuntu/Debian
>            Reporter: john blaze
>         Attachments: fraggy_out_EVILSTUFF, more_frag.pcap
>
>
> I was doing some testing with fragmented attacks trying to bypass IDS sensors 
> and noticed that BRO does not identify/populate the SRC & DST IP's in the 
> weird log and other fields such as the URI in the http.log when doing stuff 
> like:
> >>> f=fragment(IP(dst="80.69.77.211")/ICMP()/("X"*50), fragsize=10)
> >>> for frag in f:
> ...  send(frag)
> 1377062338.222065       -       -       -       -       -       
> excessively_small_fragment      -       F       bro
> Also,.  I fragmented a GET /EVILSTUFF HTTP request,. and noticed:
> 1377056289.770819       -       -       -       -       -       
> excessively_small_fragment      -       F       bro
> 1377056289.787032       -       -       -       -       -       
> fragment_inconsistency  -       F       bro
> 1377056290.141267       iL6Ki3ncjV1     192.168.1.5     17384   192.168.1.16  
>   80      unmatched_HTTP_reply    -       F       bro
> PCAPS are attached.



--
This message was sent by Atlassian JIRA
(v6.1-OD-06-1#6139)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to