I've just made Snort 1.8.7beta1 available at
http://www.snort.org/dl/beta/snort-1.8.7beta1.tar.gz.
This should correct the issues that fragroute induces.
I want to thank Andrea Barisani, Joe McAlerney, and Peter Johnson for
feedback on on the commits I've done over the past few days. I'm
On 4/17/02 9:49 PM, Vern Paxson [EMAIL PROTECTED] wrote:
The TCP evasions are fairly easily detectable as overlaps should not
normally occur.
See the Bro paper - Bro has detected this possible evasion for many years
now, and in fact we do see overlaps operationally, and unfortunately
[EMAIL PROTECTED] [EMAIL PROTECTED] spoke:
On Wed, 17 Apr 2002 04:07:31 +, Dragos Ruiu [EMAIL PROTECTED] wrote:
Basically all the chaffing at the IP and TCP level is detectable as those
should not be normal conditions. Look to snort cvs over the next few days
for solutions to these
First of all I would like to commend Dug on his responsible disclosure
stance. He has given the IDS vendors several months heads up that this
stuff is in the pipe...
(Months? My copy of fragrouter, which I got off the net, is more than
two years old.)
The TCP evasions are fairly easily
Tiny frags do happen, but I've rarely see them outside of live
attacks. Then again, I don't hang on .edu networks very much... ;)
I was, until very recently (24hrs ago), behind a link with MTU 1400.
I regularly saw tiny fragments; they happened whenever anyone who
wasn't trying to do PMTU-D
Given your history in the industry, what is your impression of the
average lag time between a virus being released into the wild and a
fingerprint update being available from a vendor ? Is it days, weeks
or months ? Also, what's the average interval in updates for anti-
virus software users ?
I didn't see it posted to these lists, but yesterday Dug Song quietly released a tool
on the focus-ids list which totally blindsides Snort -
http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort file contains
several fragroute scripts which blindside even the current Snort
Heh, well... first... don't panic. :-)
First of all I would like to commend Dug on his responsible disclosure stance.
He has given the IDS vendors several months heads up that this stuff is in the
pipe... I think everyone who needed to know knew this was coming down the pipe,
so this is in
]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
;Subject: Re: Snort exploits
;Heh, well... first... don't panic. :-)
;I was actually expecting him to release fragroute on the CanSecWest
conference CD,
;for his talk on it there and am preparing some appropriate counter measures
for the
;variant of snort I