Snort mailing list archives
Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie!
From: Matt Olney <molney () sourcefire com>
Date: Tue, 1 Dec 2009 15:53:18 -0500
Howdy all, First, as I'm not subscribed to the Emerging-sigs list, I'm not certain if this will make it there, if someone would be so kinds as to foward it, I would be grateful. I'd like to close the loop a little on the "4-way handshake" problem. We did some preliminary investigation into this and found that it was possible to bypass rules using this. The VRT did the initial testing and the case was then passed to the Snort team. Their testing revealed a config change that would ensure that the snort rules would alert properly in the face of a malicious server implementing a 4-way capable stack. The modification is to add the following value to your "preprocessor stream5_tcp:" line: require_3whs To be clear, in the testing I'm going to show below, here are my values: (failed test) preprocessor stream5_tcp: policy first, use_static_footprint_sizes (passed test) preprocessor stream5_tcp: policy first, use_static_footprint_sizes, require_3whs Here is the rules file I used to test: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with http_inspect method check"; flow: to_server, established; content:"GET"; http_method; sid: 3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with standard content match and flow check"; flow: to_server, established; content:"GET"; http_method; sid: 4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with standard content match and no flow check"; content:"GET"; sid: 6;) Here is the output I ran, failed tests first: (Using the fake.pcap from http://malforge.com/node/20): Snort Test Suite v.0.3.0 Alerts: 1:6:0 Get with standard content match and no flow check Alerts: 1 In this case, we only alerted on the standard content match without flow enforcement. This indicates that stream5 has incorrectly interpreted the stream. Remember that both the flow keywords, as well as the http_method modifier require stream5 to have properly marked a stream in order to function. Here are the tests after I added the require_3whs: Snort Test Suite v.0.3.0 Alerts: 1:3:0 Get with http_inspect method check Alerts: 1 1:4:0 Get with standard content match and flow check Alerts: 1 1:6:0 Get with standard content match and no flow check Alerts: 1 We now correctly alert on checks in both the http_inspect preprocessor and the flow direction. I'll put together a blog post, but since this issue was discussed here, I wanted to drop the information so you had our answer. Matt ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: TCP Portals: The Handshake's a Lie!, (continued)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Message not available
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! CunningPike (Dec 03)