Snort mailing list archives
Stream5/6 marking RST as invalid when it shouldn't?
From: Mike Cox <mike.cox52 () gmail com>
Date: Wed, 8 Apr 2015 11:47:27 -0400
I have a situation where Snort (Stream5/6) is marking a RST packet as bad because it thinks the sequence number is invalid. I originally came across this in Stream5 (Snort 2.9.6) but also see it in Stream6 (Snort 2.9.7.2) since that portion of the code is largely unchanged and I will be providing data from Snort 2.9.7.2 since that is the latest version. Basically what happens is a session is established and data is sent by the client (which is lost) followed by a FIN (which is received). The lost data has to get re-transmitted and then the server ACKs all the data, including the FIN. The server then sends some data of its own (which doesn't really matter in this case) and the client immediately send a RST which Snort marks as invalid. If normalization (STREAM_POLICY_FIRST) and blocking are enabled, this causes the RST packet to be blocked. In the function ValidRst() in snort_stream_tcp.c, sequence numbers on a RST are validated based on the policy. For STREAM_POLICY_FIRST (as well as STREAM_POLICY_NOACK, STREAM_POLICY_LAST, STREAM_POLICY_MACOS, STREAM_POLICY_WINDOWS, STREAM_POLICY_VISTA, STREAM_POLICY_WINDOWS2K3, STREAM_POLICY_HPUX10, and STREAM_POLICY_IRIX), the sequence number of the RST has to be the same as 'st->r_nxt_ack'. This this behavior is based on how those various implementations handle a RST. However, in my situation, as far as I can tell, the sequence number of the RST being sent is as it should be (not to mention it matches the ACK value of the previously received packet(s)) yet Snort is marking it as invalid since I think it gets confused about r_nxt_ack. I have attached a pcap as well as Snort debug output that helps demonstrate what is going on. Here is a snippet from the Snort output that shows the RST being marked as invalid: spp_stream6.c:722: In Stream! snort_stream_tcp.c:5435: Got TCP Packet 0xEF9B24:52136 -> 0xEF9B38:36474 *****R** seq: 0x70 ack:0x0 dsize: 0 TcpDataBlock: seq: 0x00000070 ack: 0x00000000 win: 8192 end: 0x00000070 snort_stream_tcp.c:8312: Stream: Updating on packet from client snort_stream_tcp.c:8481: Client [talker] state: FIN_WAIT_2 snort_stream_tcp.c:2673: IGNORE snort_stream_tcp.c:8486: Server state: CLOSE_WAIT(5) snort_stream_tcp.c:2673: IGNORE snort_stream_tcp.c:3458: Checking end_seq (70) > r_win_base (70) && seq (70) < r_nxt_ack(200C) snort_stream_tcp.c:3489: rst is not valid seq (next seq)! snort_stream_tcp.c:8663: bad sequence number, bailing snort_stream_tcp.c:5656: Finished Stream TCP cleanly! The pcap is one I cooked up but it is based on an actual pcap seen in the wild (I can't share the original). Can someone either explain to my why the RST being marked as invalid is in fact invalid, or confirm that this is a bug in Stream5/6? I don't claim to know everything about TCP so please correct me if I'm missing something. Thank you. Mike Cox
Attachment:
snort_debug_stream6.txt
Description:
Attachment:
out_of_order.pcap
Description:
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Stream5/6 marking RST as invalid when it shouldn't? Mike Cox (Apr 08)