[Bro-Dev] [JIRA] (BIT-1062) Issues fragmented packets and BRO
john blaze (JIRA)
jira at bro-tracker.atlassian.net
Wed Aug 21 10:22:31 PDT 2013
john blaze created BIT-1062:
-------------------------------
Summary: Issues fragmented packets and BRO
Key: BIT-1062
URL: https://bro-tracker.atlassian.net/browse/BIT-1062
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.1
Environment: Ubuntu/Debian
Reporter: john blaze
Attachments: fraggy_out_EVILSTUFF, more_frag.pcap
I was doing some testing with fragmented attacks trying to bypass IDS sensors and noticed that BRO does not identify/populate the SRC & DST IP's in the weird log and other fields such as the URI in the http.log when doing stuff like:
>>> f=fragment(IP(dst="80.69.77.211")/ICMP()/("X"*50), fragsize=10)
>>> for frag in f:
... send(frag)
1377062338.222065 - - - - - excessively_small_fragment - F bro
Also,. I fragmented a GET /EVILSTUFF HTTP request,. and noticed:
1377056289.770819 - - - - - excessively_small_fragment - F bro
1377056289.787032 - - - - - fragment_inconsistency - F bro
1377056290.141267 iL6Ki3ncjV1 192.168.1.5 17384 192.168.1.16 80 unmatched_HTTP_reply - F bro
PCAPS are attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the bro-dev
mailing list