Re: [Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic

["Benjamin Small" <benjamin.small83 () gmail com>]

This is not a problem when using stream5 and snort 2.7.0 - Go team!

Thanks,
Benjamin

On 6/29/07, Steven Sturges <steve.sturges () sourcefire com> wrote:
> Hi Benjamin--
>
> Thanks for the report.  We'll have a look into it.
>
> Cheers.
> -steve
>
> Benjamin Small wrote:
> > Hello,
> >
> > While working with Snort 2.6.1.5 I noticed a situation where snort was
> > inadvertently being evaded.
> > I have narrowed the root cause down to the stream4 preprocessor. When
> > reassembling both to_client
> > and to_server streams, it appears that duplicating certain packets
> causes
> > snort to miss an attack.
> > I demonstrate this in an attack where I attempt an /etc/passwd grab.
> > None of
> > the attacker's packets
> > are duplicated, but I send three instances of the first response from
> the
> > server containing a payload
> > (and only the first packet with payload seems to matter). Oddly enough,
> if
> > you read the pcap as a file
> > "snort -r evaded.pcap", Snort fires. However, if snort is reading this
> > traffic from an interface it misses
> > the attack. To test this I used tcpreplay on a separate host.
> >
> > This becomes a potential problem in IDS setups where traffic is being
> > SPAN'd
> > to a monitoring interface
> > more than once. Since this can potentially cause every attack against an
> > application that utilizes TCP
> > to be missed, I wanted to bring this to the community's attention. This
> is
> > more common in environments
> > where complex SPAN sessions are used to relay data from multiple sources
> to
> > an IDS for monitoring.
> >
> > I am attaching a pcap and the configuration used in my test. Disabling
> the
> > stream4 preprocessor or
> > setting the "noinspect" option prevents the IDS from missing the attack.
> > The
> > pcap contains a series of
> > 12 unique packets. The 8th unique packet is replicated twice, resulting
> in
> > three instances of the initial
> > response from the webserver after the attempted /etc/passwd grab. I only
> > replicated this packet since
> > after trying different variations of duplicating other packets, it
> appears
> > this packet was key for missing
> > the attack. I have attached a spreadsheet containing data surrounding my
> > tests. Each column contains
> > the number of times each packet in the sequence was transmitted.
> >
> > Regards,
> > Benjamin Small
> >
> >
> > ------------------------------------------------------------------------
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users