Snort 2.7.0.1 Preprocessor Drop Patches

["Joel Ebrahimi" <jebrahimi () stillsecure com>]

The current testing version of Snort (2.8 branch) has a new mechanism to handle dropping of packets from the 
preprocessors. For StillSecure's upcoming Strata Guard and Cobia IPS release, we have been testing drop integration in 
the 2.7 branch of Snort using our own modifications.

At this time we are still testing our method as well as the method in 2.8RC1, but wanted to offer it to the community. 
We feel there are some positives in the way we have implemented our dropping method, so we wanted to release the code 
early for possible adoption into the 2.x Snort branch and to give the community a chance to play with dropping in a 
different way in Snort 2.7.0.1.

The development we have done has all preprocessor drops contained within each respective preprocessor section of code. 
There are 2 main benefits to this. One is there is a centralized configuration for each preprocessor. The configuration 
takes place as traditional preprocessor configuration does, with the use of keywords. This also allows the display of 
your drop parameters at startup, in each of the preprocessor startup sections. The second benefit is that this method 
allows fine granularity control over each preprocessor. With the current method from Snort 2.8, you add preproccessor 
rules that act as a global over the entire preprocessor. For example if you have several HTTP Inspect engines and 
wanted to drop IIS backslash from just one of the engines you could not do this in the current 2.8 method but could 
with the method we have developed.

We are going to continue to test both the way we have implemented preprocessor drops as well as the method in Snort 
2.8. At this point there is not an official Snort release that we will use with Strata Guard and Cobia and we will 
continue to test both methods to determine what will work best for our products and for the user. 

At the bottom of this email is a list of the available preprocessors for dropping with the keyword and meaning. I also 
sent this information as an attachment.

Included with this email are patch's for each of the preprocessors. We also have a prepackaged tarball of all the 
modifications available at http://download.stillsecure.com/Cobia/src/ . Please send any comments, suggestions, issues 
or ideas to make it better to jebrahimi () stillsecure com


// Joel 

StillSecure
Joel Ebrahimi
Senior Software Engineer


http://www.stillsecure.com/
The information transmitted is intended only for the person
to whom it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer. 


-------------------------------------------------
Frag3
-------------------------------------------------

options                         description
--------------                  -----------
drop_ipoptions                  Drop inconsistent IP optionscd pr
drop_teardrop                   Drop Teardrop attack
drop_short_frag                 Drop short fragment, possible DOS
drop_anomaly_oversize           Drop packet after defragmented packet
drop_anomaly_zero               Drop zero byte fragmented packet
drop_anomaly_badsize_sm         Drop negative  size fragment
drop_anomaly_badsize_lg         Drop over sized fragment
drop_anomaly_ovlp               Drop fragmentation overlap
drop_ipv6_bsd_icmp_frag         Drop IPV6 BSD mbufs kernel overflow
drop_ipv6_bad_frag_pkt          Drop bogus fragmentation packet



-------------------------------------------------
Stream5
-------------------------------------------------

options                         description
--------------                  -----------
drop_syn_on_est                 Drop SYN on established packet
drop_data_on_syn                Drop data on SYN packet
drop_data_on_closed             Drop data sent on stream not accepting data
drop_bad_timestamp              Drop TCP Timestamp is outside of PAWS window
drop_bad_segment                Drop bad segment,overlap adjusted size <= 0
drop_window_too_large           Drop window size (after scaling) larger than policy allows
drop_excessive_tcp_overlaps     Drop when limit on the number of TCP packerts reached
drop_data_after_reset           Drop data after Reset packet



-------------------------------------------------
HTTP Inspect
-------------------------------------------------

options                         description
--------------                  -----------
drop_ascii                      Drop ASCII encoding
drop_double_decode              Drop double decoding attacks
drop_u_encode                   Drop U encoding
drop_bare_byte                  Drop bare byte unicode encoding
drop_base36                     Drop base36 encoding
drop_utf_8                      Drop utf-8 encoding
drop_iis_unicode                Drop IIS unicode codepoint encoding
drop_multi_slash                Drop multislash encoding
drop_iis_backslash              Drop IIS backslash evasion
drop_self_dir_trav              Drop  self directory traversal
drop_apache_ws                  Drop apache whitspace
drop_iis_delimeter              Drop IIS non-rfc delimeter
drop_non_rfc_char               Drop non-rfc character
drop_oversize_dir               Drop oversize request URI directory
drop_large_chunk                Drop oversize chunk encoding
drop_proxy_use                  Drop detected proxy use
drop_webroot_dir                Drop webroot directory traversal



-------------------------------------------------
SMTP
-------------------------------------------------

options                         description
--------------                  -----------
drop_obsolete_types             Drop Obsolete DNS RR Types
drop_experimental_types         Drop Experimental DNS RR Types
drop_rdata_overflow             Drop DNS Client rdata txt Overflow



-------------------------------------------------
DNS
-------------------------------------------------

options                         description
--------------                  -----------
drop_obsolete_types             Drop Obsolete DNS RR Types
drop_experimental_types         Drop Experimental DNS RR Types
drop_rdata_overflow             Drop DNS Client rdata txt Overflow



-------------------------------------------------
FTP/Telnet
-------------------------------------------------

Telnet Configuration:
options                         description
--------------                  -----------
drop_encrypted_traffic          Drop encrypted traffic
drop_ayt_overflow               Drop consecutive TELNET AYT commands beyond set threshold
drop_sb_no_se                   Drop TELENT subnegotiation begin command without subnegotiation end


FTP Global Configuration:
options                         description
--------------                  -----------
drop_evasive_telnet_cmd         Drop evasive TELNET CMD's on FTP command channel
drop_encrypted_traffic          Drop encrypted FTP traffic


FTP Client Configuration:
options                         description
--------------                  -----------
drop_telnet_cmd                 Drop TELNET CMD on FTP Command Channel
drop_long_response_parameters   Drop FTP response message that are too long
drop_bounce_attempt             Drop FTP bounce attempts


FTP Server Configuration:
options                         description
--------------                  -----------
drop_telnet_cmd                 Drop TELNET CMD on FTP Command Channel
drop_invalid_cmd                Drop invalid FTP Command
drop_long_cmd_parameters        Drop FTP command parameters that are too long
drop_malformed_parameters       Drop FTP command parameters were malformed
drop_string_format_parameters   Drop FTP command parameters that contain potential string format



-------------------------------------------------
SSH
-------------------------------------------------

options                         description
--------------                  -----------
drop_gobbles                    Drop Gobbles exploit
drop_ssh1crc32                  Drop SSH1 CRC32 exploit
drop_srvoverflow                Drop server version string overflow
drop_protomismatch              Drop protocol mismatch
drop_badmsgdir                  Drop bad message direction
drop_paysize                    Drop payload size incorrect for the given payload
drop_recognition                Drop failure to detect SSH version string

Attachment: ss-snort-2.7.0.1-dns.diff
Description: ss-snort-2.7.0.1-dns.diff

Attachment: ss-snort-2.7.0.1-frag3.diff
Description: ss-snort-2.7.0.1-frag3.diff

Attachment: ss-snort-2.7.0.1-ftptelnet.diff
Description: ss-snort-2.7.0.1-ftptelnet.diff

Attachment: ss-snort-2.7.0.1-http_inspect.diff
Description: ss-snort-2.7.0.1-http_inspect.diff

Attachment: ss-snort-2.7.0.1-smtp.diff
Description: ss-snort-2.7.0.1-smtp.diff

Attachment: ss-snort-2.7.0.1-ssh.diff
Description: ss-snort-2.7.0.1-ssh.diff

Attachment: ss-snort-2.7.0.1-stream5.diff
Description: ss-snort-2.7.0.1-stream5.diff

Attachment: usage.txt
Description: usage.txt

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users