Stream5/6 marking RST as invalid when it shouldn't?

[Mike Cox <mike.cox52 () gmail com>]

I have a situation where Snort (Stream5/6) is marking a RST packet as bad
because it thinks the sequence number is invalid.  I originally came across
this in Stream5 (Snort 2.9.6) but also see it in Stream6 (Snort 2.9.7.2)
since that portion of the code is largely unchanged and I will be providing
data from Snort 2.9.7.2 since that is the latest version.

Basically what happens is a session is established and data is sent by the
client (which is lost) followed by a FIN (which is received).  The lost
data has to get re-transmitted and then the server ACKs all the data,
including the FIN.  The server then sends some data of its own (which
doesn't really matter in this case) and the client immediately send a RST
which Snort marks as invalid. If normalization (STREAM_POLICY_FIRST) and
blocking are enabled, this causes the RST packet to be blocked.

In the function ValidRst() in snort_stream_tcp.c, sequence numbers on a RST
are validated based on the policy.  For STREAM_POLICY_FIRST (as well as
STREAM_POLICY_NOACK, STREAM_POLICY_LAST, STREAM_POLICY_MACOS,
STREAM_POLICY_WINDOWS, STREAM_POLICY_VISTA, STREAM_POLICY_WINDOWS2K3,
STREAM_POLICY_HPUX10, and STREAM_POLICY_IRIX),  the sequence number of the
RST has to be the same as 'st->r_nxt_ack'.  This this behavior is based on
how those various implementations handle a RST.

However, in my situation, as far as I can tell, the sequence number of the
RST being sent is as it should be (not to mention it matches the ACK value
of the previously received packet(s)) yet Snort is marking it as invalid
since I think it gets confused about r_nxt_ack.

I have attached a pcap as well as Snort debug output that helps demonstrate
what is going on.  Here is a snippet from the Snort output that shows the
RST being marked as invalid:

spp_stream6.c:722: In Stream!
snort_stream_tcp.c:5435: Got TCP Packet 0xEF9B24:52136 ->  0xEF9B38:36474
*****R**
seq: 0x70   ack:0x0  dsize: 0
TcpDataBlock:
    seq:    0x00000070
    ack:    0x00000000
    win:    8192
    end:    0x00000070
snort_stream_tcp.c:8312: Stream: Updating on packet from client
snort_stream_tcp.c:8481:    Client [talker] state: FIN_WAIT_2
snort_stream_tcp.c:2673:     IGNORE
snort_stream_tcp.c:8486:    Server state: CLOSE_WAIT(5)
snort_stream_tcp.c:2673:     IGNORE
snort_stream_tcp.c:3458: Checking end_seq (70) > r_win_base (70) && seq
(70) < r_nxt_ack(200C)
snort_stream_tcp.c:3489: rst is not valid seq (next seq)!
snort_stream_tcp.c:8663: bad sequence number, bailing
snort_stream_tcp.c:5656: Finished Stream TCP cleanly!

The pcap is one I cooked up but it is based on an actual pcap seen in the
wild (I can't share the original).

Can someone either explain to my why the RST being marked as invalid is in
fact invalid, or confirm that this is a bug in Stream5/6?  I don't claim to
know everything about TCP so please correct me if I'm missing something.

Thank you.

Mike Cox

Attachment: snort_debug_stream6.txt
Description:

Attachment: out_of_order.pcap
Description:

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!