Snort mailing list archives
Snort 2.7.0.1 Preprocessor Drop Patches
From: "Joel Ebrahimi" <jebrahimi () stillsecure com>
Date: Wed, 19 Sep 2007 12:57:16 -0600
The current testing version of Snort (2.8 branch) has a new mechanism to handle dropping of packets from the preprocessors. For StillSecure's upcoming Strata Guard and Cobia IPS release, we have been testing drop integration in the 2.7 branch of Snort using our own modifications. At this time we are still testing our method as well as the method in 2.8RC1, but wanted to offer it to the community. We feel there are some positives in the way we have implemented our dropping method, so we wanted to release the code early for possible adoption into the 2.x Snort branch and to give the community a chance to play with dropping in a different way in Snort 2.7.0.1. The development we have done has all preprocessor drops contained within each respective preprocessor section of code. There are 2 main benefits to this. One is there is a centralized configuration for each preprocessor. The configuration takes place as traditional preprocessor configuration does, with the use of keywords. This also allows the display of your drop parameters at startup, in each of the preprocessor startup sections. The second benefit is that this method allows fine granularity control over each preprocessor. With the current method from Snort 2.8, you add preproccessor rules that act as a global over the entire preprocessor. For example if you have several HTTP Inspect engines and wanted to drop IIS backslash from just one of the engines you could not do this in the current 2.8 method but could with the method we have developed. We are going to continue to test both the way we have implemented preprocessor drops as well as the method in Snort 2.8. At this point there is not an official Snort release that we will use with Strata Guard and Cobia and we will continue to test both methods to determine what will work best for our products and for the user. At the bottom of this email is a list of the available preprocessors for dropping with the keyword and meaning. I also sent this information as an attachment. Included with this email are patch's for each of the preprocessors. We also have a prepackaged tarball of all the modifications available at http://download.stillsecure.com/Cobia/src/ . Please send any comments, suggestions, issues or ideas to make it better to jebrahimi () stillsecure com // Joel StillSecure Joel Ebrahimi Senior Software Engineer http://www.stillsecure.com/ The information transmitted is intended only for the person to whom it is addressed and may contain confidential material. Review or other use of this information by persons other than the intended recipient is prohibited. If you've received this in error, please contact the sender and delete from any computer. ------------------------------------------------- Frag3 ------------------------------------------------- options description -------------- ----------- drop_ipoptions Drop inconsistent IP optionscd pr drop_teardrop Drop Teardrop attack drop_short_frag Drop short fragment, possible DOS drop_anomaly_oversize Drop packet after defragmented packet drop_anomaly_zero Drop zero byte fragmented packet drop_anomaly_badsize_sm Drop negative size fragment drop_anomaly_badsize_lg Drop over sized fragment drop_anomaly_ovlp Drop fragmentation overlap drop_ipv6_bsd_icmp_frag Drop IPV6 BSD mbufs kernel overflow drop_ipv6_bad_frag_pkt Drop bogus fragmentation packet ------------------------------------------------- Stream5 ------------------------------------------------- options description -------------- ----------- drop_syn_on_est Drop SYN on established packet drop_data_on_syn Drop data on SYN packet drop_data_on_closed Drop data sent on stream not accepting data drop_bad_timestamp Drop TCP Timestamp is outside of PAWS window drop_bad_segment Drop bad segment,overlap adjusted size <= 0 drop_window_too_large Drop window size (after scaling) larger than policy allows drop_excessive_tcp_overlaps Drop when limit on the number of TCP packerts reached drop_data_after_reset Drop data after Reset packet ------------------------------------------------- HTTP Inspect ------------------------------------------------- options description -------------- ----------- drop_ascii Drop ASCII encoding drop_double_decode Drop double decoding attacks drop_u_encode Drop U encoding drop_bare_byte Drop bare byte unicode encoding drop_base36 Drop base36 encoding drop_utf_8 Drop utf-8 encoding drop_iis_unicode Drop IIS unicode codepoint encoding drop_multi_slash Drop multislash encoding drop_iis_backslash Drop IIS backslash evasion drop_self_dir_trav Drop self directory traversal drop_apache_ws Drop apache whitspace drop_iis_delimeter Drop IIS non-rfc delimeter drop_non_rfc_char Drop non-rfc character drop_oversize_dir Drop oversize request URI directory drop_large_chunk Drop oversize chunk encoding drop_proxy_use Drop detected proxy use drop_webroot_dir Drop webroot directory traversal ------------------------------------------------- SMTP ------------------------------------------------- options description -------------- ----------- drop_obsolete_types Drop Obsolete DNS RR Types drop_experimental_types Drop Experimental DNS RR Types drop_rdata_overflow Drop DNS Client rdata txt Overflow ------------------------------------------------- DNS ------------------------------------------------- options description -------------- ----------- drop_obsolete_types Drop Obsolete DNS RR Types drop_experimental_types Drop Experimental DNS RR Types drop_rdata_overflow Drop DNS Client rdata txt Overflow ------------------------------------------------- FTP/Telnet ------------------------------------------------- Telnet Configuration: options description -------------- ----------- drop_encrypted_traffic Drop encrypted traffic drop_ayt_overflow Drop consecutive TELNET AYT commands beyond set threshold drop_sb_no_se Drop TELENT subnegotiation begin command without subnegotiation end FTP Global Configuration: options description -------------- ----------- drop_evasive_telnet_cmd Drop evasive TELNET CMD's on FTP command channel drop_encrypted_traffic Drop encrypted FTP traffic FTP Client Configuration: options description -------------- ----------- drop_telnet_cmd Drop TELNET CMD on FTP Command Channel drop_long_response_parameters Drop FTP response message that are too long drop_bounce_attempt Drop FTP bounce attempts FTP Server Configuration: options description -------------- ----------- drop_telnet_cmd Drop TELNET CMD on FTP Command Channel drop_invalid_cmd Drop invalid FTP Command drop_long_cmd_parameters Drop FTP command parameters that are too long drop_malformed_parameters Drop FTP command parameters were malformed drop_string_format_parameters Drop FTP command parameters that contain potential string format ------------------------------------------------- SSH ------------------------------------------------- options description -------------- ----------- drop_gobbles Drop Gobbles exploit drop_ssh1crc32 Drop SSH1 CRC32 exploit drop_srvoverflow Drop server version string overflow drop_protomismatch Drop protocol mismatch drop_badmsgdir Drop bad message direction drop_paysize Drop payload size incorrect for the given payload drop_recognition Drop failure to detect SSH version string
Attachment:
ss-snort-2.7.0.1-dns.diff
Description: ss-snort-2.7.0.1-dns.diff
Attachment:
ss-snort-2.7.0.1-frag3.diff
Description: ss-snort-2.7.0.1-frag3.diff
Attachment:
ss-snort-2.7.0.1-ftptelnet.diff
Description: ss-snort-2.7.0.1-ftptelnet.diff
Attachment:
ss-snort-2.7.0.1-http_inspect.diff
Description: ss-snort-2.7.0.1-http_inspect.diff
Attachment:
ss-snort-2.7.0.1-smtp.diff
Description: ss-snort-2.7.0.1-smtp.diff
Attachment:
ss-snort-2.7.0.1-ssh.diff
Description: ss-snort-2.7.0.1-ssh.diff
Attachment:
ss-snort-2.7.0.1-stream5.diff
Description: ss-snort-2.7.0.1-stream5.diff
Attachment:
usage.txt
Description: usage.txt
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.7.0.1 Preprocessor Drop Patches Joel Ebrahimi (Sep 19)