Evasion Due to Multiple Instances of SPAN Traffic

["Benjamin Small" <benjamin.small83 () gmail com>]

Hello,

While working with Snort 2.6.1.5 I noticed a situation where snort was
inadvertently being evaded.
I have narrowed the root cause down to the stream4 preprocessor. When
reassembling both to_client
and to_server streams, it appears that duplicating certain packets causes
snort to miss an attack.
I demonstrate this in an attack where I attempt an /etc/passwd grab. None of
the attacker's packets
are duplicated, but I send three instances of the first response from the
server containing a payload
(and only the first packet with payload seems to matter). Oddly enough, if
you read the pcap as a file
"snort -r evaded.pcap", Snort fires. However, if snort is reading this
traffic from an interface it misses
the attack. To test this I used tcpreplay on a separate host.

This becomes a potential problem in IDS setups where traffic is being SPAN'd
to a monitoring interface
more than once. Since this can potentially cause every attack against an
application that utilizes TCP
to be missed, I wanted to bring this to the community's attention. This is
more common in environments
where complex SPAN sessions are used to relay data from multiple sources to
an IDS for monitoring.

I am attaching a pcap and the configuration used in my test. Disabling the
stream4 preprocessor or
setting the "noinspect" option prevents the IDS from missing the attack. The
pcap contains a series of
12 unique packets. The 8th unique packet is replicated twice, resulting in
three instances of the initial
response from the webserver after the attempted /etc/passwd grab. I only
replicated this packet since
after trying different variations of duplicating other packets, it appears
this packet was key for missing
the attack. I have attached a spreadsheet containing data surrounding my
tests. Each column contains
the number of times each packet in the sequence was transmitted.

Regards,
Benjamin Small

Attachment: evaded.pcap
Description:

Attachment: evaded.conf
Description:

Attachment: SnortEvadedSeq.ods
Description:

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users