[Bro-Dev] [JIRA] (BIT-1062) Issues fragmented packets and BRO
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Fri Nov 8 12:12:31 PST 2013
[ https://bro-tracker.atlassian.net/browse/BIT-1062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Seth Hall updated BIT-1062:
---------------------------
Resolution: Won't Fix
Status: Closed (was: Open)
We aren't sure these packets are legitimate.
> Issues fragmented packets and BRO
> ---------------------------------
>
> Key: BIT-1062
> URL: https://bro-tracker.atlassian.net/browse/BIT-1062
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Environment: Ubuntu/Debian
> Reporter: john blaze
> Attachments: fraggy_out_EVILSTUFF, more_frag.pcap
>
>
> I was doing some testing with fragmented attacks trying to bypass IDS sensors and noticed that BRO does not identify/populate the SRC & DST IP's in the weird log and other fields such as the URI in the http.log when doing stuff like:
> >>> f=fragment(IP(dst="80.69.77.211")/ICMP()/("X"*50), fragsize=10)
> >>> for frag in f:
> ... send(frag)
> 1377062338.222065 - - - - - excessively_small_fragment - F bro
> Also,. I fragmented a GET /EVILSTUFF HTTP request,. and noticed:
> 1377056289.770819 - - - - - excessively_small_fragment - F bro
> 1377056289.787032 - - - - - fragment_inconsistency - F bro
> 1377056290.141267 iL6Ki3ncjV1 192.168.1.5 17384 192.168.1.16 80 unmatched_HTTP_reply - F bro
> PCAPS are attached.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
More information about the bro-dev
mailing list