Evasion tool puts Snort's nose out of joint

The darling of the intrusion detection system (IDS) industry had its nose put out of joint yesterday when a security developer released an evasion tool capable of undermining it.

Open source development Snort has been heralded as one of the most flexible IDS offerings, comparing well with alternative commercial products.

But the release of a security testing tool on Security Focus' IDS Focus mailing list yesterday may have opened up a method of sneaking past Snort.

Developer Dug Song yesterday released Fragroute, a tool which claims to "intercept, modify and rewrite outbound traffic destined for a specified host, implementing most of the attacks described in the Secure Networks Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection paper".

Song explained that the tool uses a simple rule set language to "delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route and otherwise monkey around with all outbound packets destined for a target host".

He said that the tool was "written in good faith to aid in the testing of network intrusion detection systems, firewalls and basic TCP/IP stack behaviour. Please do not abuse this software." But as is the case with such tools it may only be a matter of time before evil hackers are using it.

Another reader on the IDS Focus list said that Fragroute could be used to "totally blindside" Snort.

"The Readme.snort file contains several Fragroute scripts which blindside even the current Snort version, tested on RedHat 7.2. For example, the latest wu-ftpd exploits don't trigger any Snort alerts at all," he said.

According to reports, Fragroute can be a "very powerful" tool, but its effectiveness may not just be limited to Snort. It could potentially be used to test, and therefore attack, other IDS systems.

More info on Fragroute can be found here.