TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush

[hey <dnanar () gmail com>]

Hi,


While doing some testing with Snort, I noticed that Stream with PAF sends
the urgent data part of a TCP segment to HTTPInspect finite state machine.

For example, if the urgent pointer is set to 1 and if the urgent data is
"odd" (e.g. 0x00) HTTPInspect will fail and flushing won't happen as
desired; but if urgent data is "ok" (e.g. 0x41 'A') flushing will be fine.

This is a bit problematic with some configurations ignoring urgent data
(AFAIK at least Apache on top of Linux does that). If snort is inline and
if we want to drop the malicious packet, the flushing will only happen when
snort sees a RST packet (thus we just see a snort alert later and the
malicious packet has not been dropped).


It wouldn't be too complicated to make HTTPInspect skip the urgent data, or
to make a new HTTPInspect configuration option to choose to skip or not the
data. I'm curious to know why it hasn't been done (if I misunderstood
something).

On a broader scope, I'm interested in how Snort deals with urgent data. Is
there any particular  technique/configuration recommendation? I'm aware of
papers such as [1] and [2] but I'm curious to know if there is anything
that goes deeper for the URG flag.


Thanks,



[1] Novak, Judy, and Steve Sturges. "Target-Based TCP Stream Reassembly."
[2] Novak, Judy, and Steve Sturges. "Target-Based TCP Timestamp Stream
Reassembly."

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!