Snort mailing list archives
Evasion Due to Multiple Instances of SPAN Traffic
From: "Benjamin Small" <benjamin.small83 () gmail com>
Date: Thu, 28 Jun 2007 16:16:54 -0400
Hello, While working with Snort 2.6.1.5 I noticed a situation where snort was inadvertently being evaded. I have narrowed the root cause down to the stream4 preprocessor. When reassembling both to_client and to_server streams, it appears that duplicating certain packets causes snort to miss an attack. I demonstrate this in an attack where I attempt an /etc/passwd grab. None of the attacker's packets are duplicated, but I send three instances of the first response from the server containing a payload (and only the first packet with payload seems to matter). Oddly enough, if you read the pcap as a file "snort -r evaded.pcap", Snort fires. However, if snort is reading this traffic from an interface it misses the attack. To test this I used tcpreplay on a separate host. This becomes a potential problem in IDS setups where traffic is being SPAN'd to a monitoring interface more than once. Since this can potentially cause every attack against an application that utilizes TCP to be missed, I wanted to bring this to the community's attention. This is more common in environments where complex SPAN sessions are used to relay data from multiple sources to an IDS for monitoring. I am attaching a pcap and the configuration used in my test. Disabling the stream4 preprocessor or setting the "noinspect" option prevents the IDS from missing the attack. The pcap contains a series of 12 unique packets. The 8th unique packet is replicated twice, resulting in three instances of the initial response from the webserver after the attempted /etc/passwd grab. I only replicated this packet since after trying different variations of duplicating other packets, it appears this packet was key for missing the attack. I have attached a spreadsheet containing data surrounding my tests. Each column contains the number of times each packet in the sequence was transmitted. Regards, Benjamin Small
Attachment:
evaded.pcap
Description:
Attachment:
evaded.conf
Description:
Attachment:
SnortEvadedSeq.ods
Description:
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Evasion Due to Multiple Instances of SPAN Traffic Benjamin Small (Jun 28)