[25172] in bugtraq
Re: fragroute vs. snort: the tempest in a teacup
daemon@ATHENA.MIT.EDU (Brad Powell)
Fri Apr 19 15:45:08 2002
Message-Id: <200204191558.g3JFweh18383@olympics.Eng.Sun.COM>
Date: Fri, 19 Apr 2002 08:58:40 -0700 (PDT)
From: Brad Powell <Brad.Powell@Sun.COM>
Reply-To: Brad Powell <Brad.Powell@Sun.COM>
To: dugsong@monkey.org, avalon@coombs.anu.edu.au
Cc: dr@dursec.com, bugtraq@securityfocus.com,
snort-users@lists.sourceforge.net, pen-test@securityfocus.com,
roesch@sourcefire.com, 0xcafebabe@hushmail.com
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: qWdI38HH11Cii3dE51I3eg==
Darren writes:
>
> Well then IDS software needs to be smarter. IMHO it makes little sense
> for an IDS to be *behind* a firewall as it's going to miss out on lots
> of useful data points. Maybe this means telling your IDS software how
> big your network is so it can make intelligent decisions about how far
> a packet will go based on its TTL.
actually it depends. Behind the firewall and you can set the red flags to be
very sensative. Packets that should -never- be there send up big red flags,
and page people because the FW failed.
In front of the FW give you more info to be sure, but also a lot of noise
that your FW would block anyway.
Depends on if you want to heare the door rattlers (millions of them)
or not.
> IP Fragmentation is rare across the WAN, maybe, but anyone who's used
> NFSv2 knows how common it is on the LAN.
actually with load ballancing gear frags are more and more prevelent
even on the WAN.
>
> There are good reasons NOT to do reassembly and I imagine those that do
> not do so because they understand this better than the desire to simply
> add yet another feature which some consider "cool".
true, except if you can't guarentee that you will see the whole packet
through the SAME interface. We tripped over this a few times with SunScreen
doing stateful inspection (a good thing most of the time). Anywhere from
1/2 to more of the traffic was going through a different router and the
Firewall was sitting there holding 1/2 of the packet in a memory buffer
that would never get freed. Eventually you get enough of these that the
network slows down or the FW runs out of memory.
HPux was nortorius for opening a buffer for frags, and never freeing the
buffer. The easy way to bring HP's to their knees :-)
Brad Powell : HOME: brad@fish.com WORK: brad.powell@Sun.COM
-------------------------------------------------------------------------
The views expressed are those of the author and may not reflect the views
of Sun Microsystems Inc.
