Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Evasion?

From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 17 Mar 2002 20:08:51 -0500
Hi Rob,
     You're almost right.  When the sequence number rolls over *and* the
starting (base) sequence = 0 for *this flush* stream4 will ignore it because
it doesn't have PAWS built in (well, it probably will by the end of
tonight).  From the code:

    if(s->last_ack == 0 ||
       s->base_seq == 0 ||
       (s->last_ack < s->base_seq) ||
       (s->last_ack - s->base_seq > 65535))
    {
        /* yeah, I know this is lame, we'll fix it */
        DeleteSpd(s->dataPtr, gotevent);
        return;
    }

See, I even say it's lame in the comments. :)  To really resolve this
requires us to do a lot more TCP options processing in stream4, which we are
now working on.

It should be noted that this only works for the current segment set, once
the flush happens it'll pick back up on the stream data.  You can evade it,
but only until the flush point is hit.  I suppose a simple hack of a fix
(without implementing full PAWS) is to flush when the rollover is detected
automatically and keep the pre-rollover segment and reflush that one when
the next flush point it hit.  This would be similar to the behavior that was
implemented for segments that aren't fully ACK'd when they get flushed...

     -Marty


On 3/17/02 5:28 PM, "IDS Expect" <robertgoldman2000 () yahoo com> wrote:


Hi,

I have been examining the snort 1.8.4 source code and
I think I found a very simple way to evade Snort if
and when stream4 is in use.

It seems like in spp_stream4.c, FlushStream() will
ignore all packets if base_seq is zero. Well, base_seq
is set to the sequence number of the first data byte.
What if the attacker initializes her TCP connection's
sequence number to 0xffffffff. This well make base_seq
zero and Snort will further ignore any data on this
connection.

Am I right?
--rob 


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: