Snort mailing list archives
Re: Tagged Packet
From: Jason Brvenik <jasonb () sourcefire com>
Date: Sun, 22 Jan 2006 10:38:09 -0500
Dirk Geschke wrote:
Hi Joel,The recommendation to disable stream4 is very bad :)jipp, this is really a bad solution. But this will definitively remove the tagged packets...
Not necessarily. Tag is also a rule keyword option and can still produce tagged packets. There are currently two rules that ship by default in the VRT set that use tag. The use of tag is so that you can identify what kind of attack was launched since the exploit packets follow the triggering conditions and there would be no way to know what exploit was launched without the following packets.
Stream4 is not in charge of fragmentation, frag3 is. Stream4 does tcp conversation reconstruction. If you disable Stream4 you will render ALOT of rules totally null and void.You can fragment IP packets on Layer 3, this is reassembled by frag3. But you can also fragment on Layer 4, this is reassembled by stream4 by recreating the full session.
What you say is materially correct but it is not fragmentation. Interchanging the terms tends to confuse people. What is really happening is TCP segmentation and it naturally occurs in certain situations. Most major operating systems and network cards support offloading of the handling of TCP segmentation. Disabling tagged packets would make analysis useless in most cases where those tagged packets appear. You will not have enough data to effectively determine the type and scope of an attack.
Think of telnet, is is not unlikely that every byte is sent by an individual packet. (Before people ask, the "normal" telnet client uses line buffering only on ports unequal to 23.)
This is not really segmentation in that the client is sending data one byte at a time by design and not because the payload would exceed the MSS. In classic segmentation the client sends data, the stack decides if it will pass through unmolested using MSS, and then splits the amount of data into chunks of an appropriate size. One can segment all TCP into 200 byte chunks simply by setting an MTU of 200 for the interface involved. It is important to not confuse MTU and MSS though. MTU is for the local link layer segment and MSS is between the endpoints for all networks a packet traverses. UDP does not have MSS so it is often fragmented at the IP layer by intermediary devices.
To call this fragmentation or to reserve this to IP packets which got fragmented is another question...
Fragmentation only deals with IP packets and can encapsulate any higher level protocol. Segmentation deals with TCP packets and the ability to split a normally larger request into smaller TCP segments to obtain maximum MSS efficiency. All of these things can be abused in security so disabling frag or stream handling would be far less than ideal. A decent overview of this process is available here http://www.citap.com/documents/tcp-ip/tcpip012.htm
Best regards Dirk
please excuse all just woke up and have had no coffee moments in the reading of this mail.
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tagged Packet marco turr (Jan 21)
- Re: Tagged Packet Dirk Geschke (Jan 21)
- Re: Tagged Packet marco turr (Jan 21)
- Re: Tagged Packet Jason (Jan 21)
- Re: Tagged Packet Dirk Geschke (Jan 22)
- Re: Tagged Packet Joel Esler (Jan 22)
- Re: Tagged Packet Dirk Geschke (Jan 22)
- Re: Tagged Packet Jason Brvenik (Jan 22)
- Re: Tagged Packet Dirk Geschke (Jan 22)
- Re: Tagged Packet Jason Brvenik (Jan 22)
- Re: Tagged Packet Dirk Geschke (Jan 23)
- Re: Tagged Packet marco turr (Jan 21)
- Re: Tagged Packet Dirk Geschke (Jan 21)