Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Tagged Packet

from [Jason Brvenik] Network Security [Permanent Link]
Subject: Re: [Snort-users] Tagged Packet
Date: Sun, 22 Jan 2006 10:38:09 -0500 


Dirk Geschke wrote:

Hi Joel,



The recommendation to disable stream4 is very bad :)



jipp, this is really a bad solution. But this will definitively
remove the tagged packets...


Not necessarily. Tag is also a rule keyword option and can still produce
tagged packets. There are currently two rules that ship by default in
the VRT set that use tag. The use of tag is so that you can identify
what kind of attack was launched since the exploit packets follow the
triggering conditions and there would be no way to know what exploit was
launched without the following packets.





Stream4 is not in charge of fragmentation, frag3 is.  Stream4 does  
tcp conversation reconstruction.  If you disable Stream4 you will  
render ALOT of rules totally null and void.



You can fragment IP packets on Layer 3, this is reassembled by frag3.
But you can also fragment on Layer 4, this is reassembled by stream4
by recreating the full session.


What you say is materially correct but it is not fragmentation.
Interchanging the terms tends to confuse people. What is really
happening is TCP segmentation and it naturally occurs in certain
situations. Most major operating systems and network cards support
offloading of the handling of TCP segmentation.

Disabling tagged packets would make analysis useless in most cases where
those tagged packets appear. You will not have enough data to
effectively determine the type and scope of an attack.



Think of telnet, is is not unlikely that every byte is sent by an
individual packet. (Before people ask, the "normal" telnet client
uses line buffering only on ports unequal to 23.)


This is not really segmentation in that the client is sending data one
byte at a time by design and not because the payload would exceed the
MSS. In classic segmentation the client sends data, the stack decides if
it will pass through unmolested using MSS, and then splits the amount of
data into chunks of an appropriate size. One can segment all TCP into
200 byte chunks simply by setting an MTU of 200 for the interface
involved. It is important to not confuse MTU and MSS though. MTU is for
the local link layer segment and MSS is between the endpoints for all
networks a packet traverses. UDP does not have MSS so it is often
fragmented at the IP layer by intermediary devices.



To call this fragmentation or to reserve this to IP packets which 
got fragmented is another question...


Fragmentation only deals with IP packets and can encapsulate any higher
level protocol. Segmentation deals with TCP packets and the ability to
split a normally larger request into smaller TCP segments to obtain
maximum MSS efficiency. All of these things can be abused in security so
disabling frag or stream handling would be far less than ideal.

A decent overview of this process is available here

http://www.citap.com/documents/tcp-ip/tcpip012.htm



Best regards

Dirk



please excuse all just woke up and have had no coffee moments in the
reading of this mail.



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Tagged Packet, Dirk Geschke
Next by Date:  Re: [Snort-users] Tagged Packet, Dirk Geschke
Previous by Thread:  Re: [Snort-users] Tagged Packet, Dirk Geschke
Next by Thread:  Re: [Snort-users] Tagged Packet, Dirk Geschke
Indexes:  [Date] [Thread] [Top] [All Lists]