Snort mailing list archives
Re: [Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic
From: "Benjamin Small" <benjamin.small83 () gmail com>
Date: Fri, 3 Aug 2007 11:45:28 -0400
This is not a problem when using stream5 and snort 2.7.0 - Go team! Thanks, Benjamin On 6/29/07, Steven Sturges <steve.sturges () sourcefire com> wrote:
Hi Benjamin-- Thanks for the report. We'll have a look into it. Cheers. -steve Benjamin Small wrote:Hello, While working with Snort 2.6.1.5 I noticed a situation where snort was inadvertently being evaded. I have narrowed the root cause down to the stream4 preprocessor. When reassembling both to_client and to_server streams, it appears that duplicating certain packetscausessnort to miss an attack. I demonstrate this in an attack where I attempt an /etc/passwd grab. None of the attacker's packets are duplicated, but I send three instances of the first response fromtheserver containing a payload (and only the first packet with payload seems to matter). Oddly enough,ifyou read the pcap as a file "snort -r evaded.pcap", Snort fires. However, if snort is reading this traffic from an interface it misses the attack. To test this I used tcpreplay on a separate host. This becomes a potential problem in IDS setups where traffic is being SPAN'd to a monitoring interface more than once. Since this can potentially cause every attack against an application that utilizes TCP to be missed, I wanted to bring this to the community's attention. Thisismore common in environments where complex SPAN sessions are used to relay data from multiple sourcestoan IDS for monitoring. I am attaching a pcap and the configuration used in my test. Disablingthestream4 preprocessor or setting the "noinspect" option prevents the IDS from missing the attack. The pcap contains a series of 12 unique packets. The 8th unique packet is replicated twice, resultinginthree instances of the initial response from the webserver after the attempted /etc/passwd grab. I only replicated this packet since after trying different variations of duplicating other packets, itappearsthis packet was key for missing the attack. I have attached a spreadsheet containing data surrounding my tests. Each column contains the number of times each packet in the sequence was transmitted. Regards, Benjamin Small -------------------------------------------------------------------------------------------------------------------------------------------------This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic Benjamin Small (Aug 03)