Re: flow_depth and WMF exploit

[Frank Knobbe <frank () knobbe us>]

On Wed, 2006-01-04 at 12:33 +1300, Jason Haar wrote:
> The "fix" is to set flow_depth to zero - which apparently will/might
> effectively DoS your IDS on a busy network. So it's not much of a fix.
> Also, I get the impression flow_depth only ever looks at the first packet?

Hi Jason,

here an excerpt from README.http_inspect:
---8<---
* flow_depth [integer] *
[...]
This value can be set from -1 to 1460. A value of -1 causes Snort
to ignore all server side traffic for ports defined in "ports."
Inversely, a value of 0 causes Snort to inspect all HTTP server
payloads defined in "ports" (note that this will likely slow down IDS
performance).  Values above 0 tell Snort the number of bytes to
inspect in the first packet of the server response.
--->8---

I'm not quite sure how to read that, but from the performance collapse
of flow_depth 0, I think 0 truly means ALL packets (or all data in the
stream). I don't think 0 means 1460. As such, there is probably no
limit.

But you can inspect only, say two packets. It's either the max of one,
or all data. (someone please correct me where I'm wrong).

> Is that the case, and if so, are there better ways of doing it? Reading
> returned HTTP data seems to me to be rather a necessary act for an IDS...

Heh... it would certainly helps ;)   There were several rules that
people wrote to detect content on web pages. With the default settings,
Snort would never get to that content. It would evaluate 300 bytes,
which covers the header, and providing there are no massive cookies set,
part of the web page. Usually that part is <html><head>, scripts and
stuff, but by the time you reach <body>, you are most likely past the
300 bytes.

So all rules trying to detect stuff like "terrorist" on a web page would
never fire (unless terrorist is in a meta-tag way on top of the html
content... ;)

It's a bit of concern, but an IDS is an Intrusion Detection System, not
a web filter :)  We should probably use screening web proxies for that
purpose.

Having said that, the two largest vectors for intrusions are currently
web and email content, which are very hard to inspect properly with
Snort. At the end of the day, Snort will probably remain to detect
intrusions after they happened, not while they are happening (meaning,
watching the HTTP or SMTP content).

However, I still like to be able to see gzipped HTTP content. :)

To really make use of Snort for detection of web based threats, we
probably need to deploy dedicated sensors for those and configure them
accordingly. (ie. web-response only rules, flow_depth 0).

Unfortunately, these facts are not often discussed (though they appear
to be documented).

Cheers,
Frank



-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part