Snort mailing list archives
Rules using segment keywords shouldn't be applied to reassembled streams
From: Mike Cox <mike.cox52 () gmail com>
Date: Wed, 4 Nov 2015 08:15:10 -0500
I propose that rules using the "ack", "seq", and "window" keywords not be
applied against reassembled streams. Since these values only apply to TCP
segments, it only makes sense to evaluate them in that context only. In
fact, not doing so can create non-trivial false positives, especially in
cases where the sensor only sees one side of the traffic (simplex) due to
routing, switching, or other myriad setups that exist in production
networks more than you think.
I have attached an example pcap. If you run it thru Snort with the
follwing rule, you will see an alert when you should not. You will want to
configure the normalize preprocessor such that Snort's flushing policy is
Footprint-IPS (or Protocol-IPS should work too I think).
alert tcp any any -> any any (msg:"ACK with zero value found";
flow:established,to_server; ack:0; sid:12349999;)
The streams preprocessor ends up setting the ACK value on the reassembled
("pseudo" or "stream") packet to zero which causes a false positive alert.
Here is the stream packet with PAF enabled (you can run it without PAF
enabled and get multiple hits). You can see that the "Ack" and "Win"
values are "0x0" even though this is not the case for any of the actual
segements in the pcap:
+++++++++++++++++++Stream Packet+++++++++++++++++++++
01/30-13:56:04.466490 192.168.97.167:46553 -> 208.68.163.218:80
TCP TTL:64 TOS:0x0 ID:62087 IpLen:20 DgmLen:1807 DF
***AP*** Seq: 0x46F99B48 Ack: 0x0 Win: 0x0 TcpLen: 32
0x0000: 00 0E B6 29 18 89 00 90 F5 AA 83 DA 08 00 45 00 ...)..........E.
0x0010: 07 0F F2 87 40 00 40 06 B1 4C C0 A8 61 A7 D0 44 ....@.@..L..a..D
0x0020: A3 DA B5 D9 00 50 46 F9 9B 48 00 00 00 00 80 18 .....PF..H......
0x0030: 00 00 FC B0 00 00 01 01 08 0A 29 07 69 E1 CD CC ..........).i...
0x0040: 6E DE 3C 73 74 72 65 61 6D 3A 73 74 72 65 61 6D n.<stream:stream
0x0050: 20 74 6F 3D 27 6A 61 62 62 65 72 2E 6F 72 67 27 to='jabber.org'
0x0060: 20 78 6D 6C 6E 73 3A 73 74 72 65 61 6D 3D 27 68 xmlns:stream='h
0x0070: 74 74 70 3A 2F 2F 65 74 68 65 72 78 2E 6A 61 62 ttp://etherx.jab
0x0080: 62 65 72 2E 6F 72 67 2F 73 74 72 65 61 6D 73 27 ber.org/streams'
0x0090: 20 78 6D 6C 6E 73 3D 27 6A 61 62 62 65 72 3A 63 xmlns='jabber:c
0x00A0: 6C 69 65 6E 74 27 20 78 6D 6C 3A 6C 61 6E 67 3D lient' xml:lang=
0x00B0: 27 65 6E 27 20 76 65 72 73 69 6F 6E 3D 27 31 2E 'en' version='1.
0x00C0: 30 27 3E 3C 73 74 61 72 74 74 6C 73 20 78 6D 6C 0'><starttls xml
0x00D0: 6E 73 3D 22 75 72 6E 3A 69 65 74 66 3A 70 61 72 ns="urn:ietf:par
0x00E0: 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 78 6D 70 70 2D ams:xml:ns:xmpp-
0x00F0: 74 6C 73 22 3E 3C 72 65 71 75 69 72 65 64 20 2F tls"><required /
0x0100: 3E 3C 2F 73 74 61 72 74 74 6C 73 3E 16 03 01 02 ></starttls>....
0x0110: 00 01 00 01 FC 03 03 19 C1 EE 80 F2 33 72 12 A4 ............3r..
0x0120: F2 45 93 D3 D3 5C EE 0C F0 6D 44 1B 71 A6 1A A0 .E...\...mD.q...
0x0130: 8A 7D 63 AB AC 4F CF 00 00 9E C0 30 C0 2C C0 32 .}c..O.....0.,.2
0x0140: C0 2E C0 2F C0 2B C0 31 C0 2D 00 A5 00 A3 00 A1 .../.+.1.-......
0x0150: 00 9F 00 A4 00 A2 00 A0 00 9E C0 28 C0 24 C0 14 ...........(.$..
0x0160: C0 0A C0 2A C0 26 C0 0F C0 05 00 6B 00 6A 00 69 ...*.&.....k.j.i
0x0170: 00 68 00 39 00 38 00 37 00 36 C0 27 C0 23 C0 13 .h.9.8.7.6.'.#..
0x0180: C0 09 C0 29 C0 25 C0 0E C0 04 00 67 00 40 00 3F ...).%.....g.@.?
0x0190: 00 3E 00 33 00 32 00 31 00 30 C0 12 C0 08 C0 0D .>.3.2.1.0......
0x01A0: C0 03 00 88 00 87 00 86 00 85 00 45 00 44 00 43 ...........E.D.C
0x01B0: 00 42 00 16 00 13 00 10 00 0D 00 9D 00 9C 00 3D .B.............=
0x01C0: 00 35 00 3C 00 2F 00 84 00 41 00 0A C0 11 C0 07 .5.<./...A......
0x01D0: C0 0C C0 02 00 05 00 FF 02 01 00 01 34 00 0B 00 ............4...
0x01E0: 04 03 00 01 02 00 0A 00 3A 00 38 00 0E 00 0D 00 ........:.8.....
0x01F0: 19 00 1C 00 0B 00 0C 00 1B 00 18 00 09 00 0A 00 ................
0x0200: 1A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
0x0210: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
0x0220: 10 00 11 00 23 00 00 00 0D 00 20 00 1E 06 01 06 ....#..... .....
0x0230: 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 ................
0x0240: 01 03 02 03 03 02 01 02 02 02 03 00 0F 00 01 01 ................
0x0250: 00 15 00 BD 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0310: 00 16 03 03 00 07 0B 00 00 03 00 00 00 16 03 03 ................
0x0320: 00 46 10 00 00 42 41 04 09 7D 68 14 28 90 1E 4B .F...BA..}h.(..K
0x0330: FB D1 12 E0 B1 5E B7 89 B5 49 31 BB A3 C7 4A FA .....^...I1...J.
0x0340: 87 DB D1 BE 3A E6 F8 9D ED 57 CA 32 D3 BF DC 94 ....:....W.2....
0x0350: EC 3E EA BC 51 3C 70 3E 59 F7 AE 05 D2 66 34 99 .>..Q<p>Y....f4.
0x0360: 2F 03 D1 A0 A0 8D 2F 22 14 03 03 00 01 01 16 03 /...../"........
0x0370: 03 00 28 BC 46 F6 8E 10 78 3E 0B BF 14 C1 E5 A3 ..(.F...x>......
0x0380: C0 3F 0E 1C 83 50 0A 61 6B A8 3E 6D B4 A2 C2 22 .?...P.ak.>m..."
0x0390: 51 19 DA 79 13 C3 1F 2D CC 11 3B 17 03 03 00 99 Q..y...-..;.....
0x03A0: BC 46 F6 8E 10 78 3E 0C 2C C7 36 8A C6 46 37 0E .F...x>.,.6..F7.
0x03B0: 45 7E 5C EE 11 2A E0 29 39 F6 98 85 36 9C 4B D6 E~\..*.)9...6.K.
0x03C0: FD 5D 44 81 A3 93 21 39 BF 41 13 56 53 36 BD 47 .]D...!9.A.VS6.G
0x03D0: 5E 2A 67 3F 8B 7B 54 9F BF 83 4D A7 03 01 D2 A7 ^*g?.{T...M.....
0x03E0: 95 99 B8 E1 DF 01 49 BB 15 5B AF 65 4A 24 D9 30 ......I..[.eJ$.0
0x03F0: 42 1C 39 BF 6E 43 5A 28 C6 8F 4F CB 16 A6 87 BA B.9.nCZ(..O.....
0x0400: 64 EB C4 B1 03 08 A3 DD 8D 04 64 65 4C 4F FB AA d.........deLO..
0x0410: 02 0D BE B7 82 FC 50 D7 45 D5 F1 CC FA B1 C0 FF ......P.E.......
0x0420: CC 37 98 6A 2D D9 1E B1 14 E0 7F B8 0D 15 B9 C2 .7.j-...........
0x0430: 3D 73 EE BD 39 A9 CA BE 42 17 03 03 00 5E BC 46 =s..9...B....^.F
0x0440: F6 8E 10 78 3E 0D 5A D5 66 8D 9D F8 1C 7C AD 42 ...x>.Z.f....|.B
0x0450: 49 43 69 B3 7C 0C 4C 5E 8E 84 13 61 8E A7 1C 0D ICi.|.L^...a....
0x0460: 66 1D 93 81 01 BC FC 22 5D 39 47 D4 47 29 66 A8 f......"]9G.G)f.
0x0470: 6F 7C C4 9A B6 5C 16 6F 9B 4C 58 92 28 D3 40 C0 o|...\.o.LX.(.@.
0x0480: 9B BE CD 4B F4 57 AF 9E FF 56 28 FC 31 EB CF 49 ...K.W...V(.1..I
0x0490: E8 72 D0 7E 56 B3 40 29 F8 4B E3 AC 17 03 03 00 .r.~V.@).K......
0x04A0: 96 BC 46 F6 8E 10 78 3E 0E 3E 12 2B C6 09 1E 9C ..F...x>.>.+....
0x04B0: C7 50 25 AA E8 3C 80 5F 1B 12 19 6C D1 D6 CA 38 .P%..<._...l...8
0x04C0: 29 F6 40 A6 9A 10 9C 8B E1 34 99 AE 11 CE E2 D5 ).@......4......
0x04D0: 79 84 4C C8 2D 9A D8 87 D9 35 20 63 2C CD 5F E1 y.L.-....5 c,._.
0x04E0: 4D 2C AB E0 D6 9B 50 A1 B3 7E 94 D4 A5 87 2F B5 M,....P..~..../.
0x04F0: 66 9B 3A FE CA 31 17 C9 C4 A1 50 53 75 C9 B1 16 f.:..1....PSu...
0x0500: 99 2E F6 CE 35 EF B2 DE 78 F8 23 E4 9C BE 2E 1D ....5...x.#.....
0x0510: 4C 41 6C 2F 25 F4 D8 19 3E 4C EE DD 04 72 9D 72 LAl/%...>L...r.r
0x0520: 4B 16 C5 5F 08 90 F3 C4 B7 AA 5A DD 83 54 6D F9 K.._......Z..Tm.
0x0530: EF D7 D9 3C 4A 94 42 17 03 03 00 7C BC 46 F6 8E ...<J.B....|.F..
0x0540: 10 78 3E 0F 32 9C CB 7A FF B5 88 2E 97 9F 24 F5 .x>.2..z......$.
0x0550: 27 3B 5D FE E6 42 1B 7F 65 7E 9B 70 AB B0 61 D3 ';]..B..e~.p..a.
0x0560: B4 96 F4 80 07 79 9B 9C 3A F5 EF 7D 7D E3 1D 5E .....y..:..}}..^
0x0570: 75 4D 2C 1F EC B3 A5 12 E5 46 28 4D 05 65 0C E3 uM,......F(M.e..
0x0580: FC 5E CF 34 55 3D BC 06 A7 3C A6 55 73 E2 79 39 .^.4U=...<.Us.y9
0x0590: 1D 3E 9D 71 55 73 D9 AF ED 2B 20 A4 45 28 5F A8 .>.qUs...+ .E(_.
0x05A0: DC 56 00 98 F9 45 B8 9A 38 13 DB D2 4B 86 2F B2 .V...E..8...K./.
0x05B0: AB 34 97 F9 7E 46 95 78 17 03 03 00 61 BC 46 F6 .4..~F.x....a.F.
0x05C0: 8E 10 78 3E 10 57 EB FA 58 9E 36 17 AE C2 A7 D5 ..x>.W..X.6.....
0x05D0: 67 3F 9A 48 BB 65 1A 14 6A 92 C8 D4 A0 02 39 40 g?.H.e..j.....9@
0x05E0: EA 26 58 06 52 E0 78 34 A4 18 BC 24 A8 9E 4F 88 .&X.R.x4...$..O.
0x05F0: 23 5D B5 60 F8 4D C2 B2 CF 00 81 8F E3 2B 47 B6 #].`.M.......+G.
0x0600: CC 37 31 2D 25 BB D3 C2 E9 0F 32 D4 54 15 6B B5 .71-%.....2.T.k.
0x0610: 0D 63 FA F2 9C 25 85 40 46 E1 7E A0 3B 85 17 03 .c...%.@F.~.;...
0x0620: 03 00 6A BC 46 F6 8E 10 78 3E 11 3E 20 DF 1C B6 ..j.F...x>.> ...
0x0630: E0 6B 25 FF F7 13 92 3E 00 E7 A8 0B E2 8A ED 41 .k%....>.......A
0x0640: DE 7E 7C 7F 64 EF CF 46 20 93 03 1E 91 EF 31 48 .~|.d..F .....1H
0x0650: 66 21 7F 9C 99 11 1F 0C C9 62 3D A4 2F BC 72 F2 f!.......b=./.r.
0x0660: B2 EB 14 48 9C C2 ED 1A 68 E5 8E CE 31 ED FD A5 ...H....h...1...
0x0670: 60 38 0B 19 A1 38 C5 A6 24 2E 52 A2 30 18 3B 58 `8...8..$.R.0.;X
0x0680: 22 90 75 18 BE FB CD 7D 40 DE 97 20 9E 17 03 03 ".u....}@.. ....
0x0690: 00 5E BC 46 F6 8E 10 78 3E 12 65 66 BE DD 86 BE .^.F...x>.ef....
0x06A0: 61 81 34 43 0A 08 E0 1D 08 85 E7 BF 44 0A E4 28 a.4C........D..(
0x06B0: FE 80 16 73 77 1D AD 53 DE 9F A7 79 BC 54 34 A7 ...sw..S...y.T4.
0x06C0: E7 FD 27 E4 8E E6 9F 2F 08 99 D5 5C 6E E6 D4 A8 ..'..../...\n...
0x06D0: 80 1D 26 3E 85 0D 6C BF 2E E3 4A F4 FF FE 52 FF ..&>..l...J...R.
0x06E0: 27 CC 63 D6 E8 C0 61 A3 5D E6 30 51 18 78 F4 41 '.c...a.].0Q.x.A
0x06F0: 17 03 03 00 28 BC 46 F6 8E 10 78 3E 13 37 FA 11 ....(.F...x>.7..
0x0700: 5A 81 54 B8 4D 95 4B 71 7A 60 1F 5E 1B CF 84 03 Z.T.M.Kqz`.^....
0x0710: D6 09 C4 B3 D2 AB 2A ED 5C 86 7B 6F 19 ......*.\.{o.
I'd be curious what other details you can provide about this issue and it's
resolution. It is my understanding that using the "dsize" keyword will
force a rule to not be applied against reassembled streams (except if PAF
is enabled and supported then it is applied against the PDU). I sugest a
similar solution to this issue but not make an exception for PAF.
Thanks!
-Mike Cox
Attachment:
simplex.pcap
Description:
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rules using segment keywords shouldn't be applied to reassembled streams Mike Cox (Nov 04)