Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What do I need to configure in snort.conf to protect against segmentation attacks?

From: Emeka Agu <mainmen1985 () gmail com>
Date: Mon, 27 Aug 2012 11:24:04 +0100
Hi all again. I had to directly email Joel for this, just seeing if anyone
else can see what's going on:

*So my rule now is*

alert tcp any any -> 192.68.4.250  any  (msg:”Testing TCP Flow”;

flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;




*My payload for 3 packets is: "/roo", "t/hac" and "ked", sent
as separate streams, with flags "PA"*
*set*
*
*
*My Stream5 con in snort.conf is:*
*
*

preprocessor stream5_global: track_tcp yes, \
   track_udp no, \
   track_icmp no, \
preprocessor stream5_tcp: policy First, detect_anomalies, \
    ports client 23

(rest is truncated)


*My Windows 7 machine sees the payload from port 23 as: /root/hacked. *
*
*
*But Snort see nada. Absolutely nothing. Snort does work with my
custom attacks to, so I know it's working OK.*
*
*
*I have no idea what's going on! Please help!*



*
*
On 26 August 2012 11:44, Gmail Personal <mainmen1985 () gmail com> wrote:


I should also add I changed the port targeted to 22, just in case
something was going weird. And I have added the port to the Stream5 option

Weird!

*Emeka* Agu | Sent from  *iPad*

On 26 Aug 2012, at 11:30, Emeka Agu <mainmen1985 () gmail com> wrote:

Hi Tony thanks for the help. Still get the problem!

I followed this guide too:
http://searchsecuritychannel.techtarget.com/tip/Snorts-Stream5-and-TCP-overlapping-fragmentswhere Richard did exactly 
the same thing as me

And edited my Stream5 TCP policy to include the reassembly Port, but it
still didn't detect anything. Surely something is wrong, or is Snort that
easily beaten by segmented TCP streams?

Thanks

On 23 August 2012 18:27, Tony Robinson <deusexmachina667 () gmail com> wrote:


I'd check your frag3 and stream 5 settings in snort.conf, verify that
stream5 is enabled and that TCP streams are being assembled. according to
the snort manual, stream reassembly for port 80 from client operating
systems is a default setting in snort.conf -- Double check that, maybe set
port 80 to both. Additionally, look into the stream_assembly rule option,
and integrate it into your rule to ensure that TCP streams are being
reassembled.

http://manual.snort.org/node33.html#SECTION004621000000000000000

In regards to ip fragmentation, try changing frag3 back to the defaults
and see what happens.

Try running a packet capture (i.e. use snort, wireshark, tshark or
tcpdump) and get a pcap on the interface snort is listening on to ensure
the traffic is being dropped/modified somewhere in transit -- you need to
verify what your snort sensor is seeing.

Hope this helps,

-Tony

On Thu, Aug 23, 2012 at 2:55 AM, Emeka Agu <mainmen1985 () gmail com> wrote:


Hi there, I've created some code in Scapy to create a successful 3WH and
then push a segmented keyword (/root/hacked) over 3 packets.

I also created these three rules in snort (I know the rule with no flow
direction set is pointless, but I needed it to confirm my findings)

1) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP”;
content:”/root/hacked”; nocase; sid:11112;)



2) alert ip any any -> $HOME_NET  80 (msg:”Testing IP Frag”;
content:”/root/hacked”; nocase; sid:11113;)



3) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP Flow”;
flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;)


But none of them are alerted when I send the packets. Wireshark manages
to see the packets and when I select Follow TCP Stream, and it displays the
content in full.


IP tables has been turned off too I tested with an earlier evasion
attempt just using a fragmented packet where it split the keyword into
"/roo" and "t/hacked" and  Snort detected it. I used exactly the same
destination and source ports, same IP source and destination, too.


So I am presuming it's something to do with my snort.conf file. I've
left most of the options as default, I just changed the policies to linux,
as I am using Backtrack as the Snort IDS


Can anyone give me any guidance please?

Cheers,


Emeka


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--
when does reality end? when does fantasy begin?





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: