Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules using segment keywords shouldn't be applied to reassembled streams

From: Russ <rucombs () cisco com>
Date: Wed, 4 Nov 2015 10:31:03 -0500
Good points Mike. Snort++ is moving in this direction. If you don't load legacy rules, tcp rules are applied to raw tcp segments only. It is still possible to write "broken rules" though, such as alert http with seq. These will become errors at some point.
In Snort, ack and window are set for reassembled packets based on the actual values in the segments reassembled. In general, they won't be zero, but those are valid values. In Snort++, reassembled packets are just reassembled buffers associated with a flow so none of these apply.
dsize should generally not be used for raw segments or reassembled PDUs but a case can be made for each. It is potentially more reliable with PDUs since the arbitrary segmentation has been eliminated. 

On 11/4/15 8:15 AM, Mike Cox wrote:
I propose that rules using the "ack", "seq", and "window" keywords not be applied against reassembled streams. Since these values only apply to TCP segments, it only makes sense to evaluate them in that context only. In fact, not doing so can create non-trivial false positives, especially in cases where the sensor only sees one side of the traffic (simplex) due to routing, switching, or other myriad setups that exist in production networks more than you think.
I have attached an example pcap. If you run it thru Snort with the follwing rule, you will see an alert when you should not. You will want to configure the normalize preprocessor such that Snort's flushing policy is Footprint-IPS (or Protocol-IPS should work too I think).
alert tcp any any -> any any (msg:"ACK with zero value found"; flow:established,to_server; ack:0; sid:12349999;)
The streams preprocessor ends up setting the ACK value on the reassembled ("pseudo" or "stream") packet to zero which causes a false positive alert. Here is the stream packet with PAF enabled (you can run it without PAF enabled and get multiple hits). You can see that the "Ack" and "Win" values are "0x0" even though this is not the case for any of the actual segements in the pcap: 

+++++++++++++++++++Stream Packet+++++++++++++++++++++
01/30-13:56:04.466490 192.168.97.167:46553 <http://192.168.97.167:46553> -> 208.68.163.218:80 <http://208.68.163.218:80> 
TCP TTL:64 TOS:0x0 ID:62087 IpLen:20 DgmLen:1807 DF
***AP*** Seq: 0x46F99B48 Ack: 0x0  Win: 0x0 TcpLen: 32
0x0000: 00 0E B6 29 18 89 00 90 F5 AA 83 DA 08 00 45 00 ...)..........E.
0x0010: 07 0F F2 87 40 00 40 06 B1 4C C0 A8 61 A7 D0 44 ....@.@..L..a..D
0x0020: A3 DA B5 D9 00 50 46 F9 9B 48 00 00 00 00 80 18 .....PF..H......
0x0030: 00 00 FC B0 00 00 01 01 08 0A 29 07 69 E1 CD CC ..........).i...
0x0040: 6E DE 3C 73 74 72 65 61 6D 3A 73 74 72 65 61 6D n.<stream:stream
0x0050: 20 74 6F 3D 27 6A 61 62 62 65 72 2E 6F 72 67 27 to='jabber.org <http://jabber.org>' 
0x0060: 20 78 6D 6C 6E 73 3A 73 74 72 65 61 6D 3D 27 68 xmlns:stream='h
0x0070: 74 74 70 3A 2F 2F 65 74 68 65 72 78 2E 6A 61 62 ttp://etherx.jab
0x0080: 62 65 72 2E 6F 72 67 2F 73 74 72 65 61 6D 73 27 ber.org/streams <http://ber.org/streams>' 
0x0090: 20 78 6D 6C 6E 73 3D 27 6A 61 62 62 65 72 3A 63 xmlns='jabber:c
0x00A0: 6C 69 65 6E 74 27 20 78 6D 6C 3A 6C 61 6E 67 3D lient' xml:lang=
0x00B0: 27 65 6E 27 20 76 65 72 73 69 6F 6E 3D 27 31 2E 'en' version='1.
0x00C0: 30 27 3E 3C 73 74 61 72 74 74 6C 73 20 78 6D 6C 0'><starttls xml
0x00D0: 6E 73 3D 22 75 72 6E 3A 69 65 74 66 3A 70 61 72 ns="urn:ietf:par
0x00E0: 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 78 6D 70 70 2D ams:xml:ns:xmpp-
0x00F0: 74 6C 73 22 3E 3C 72 65 71 75 69 72 65 64 20 2F tls"><required /
0x0100: 3E 3C 2F 73 74 61 72 74 74 6C 73 3E 16 03 01 02 ></starttls>....
0x0110: 00 01 00 01 FC 03 03 19 C1 EE 80 F2 33 72 12 A4 ............3r..
0x0120: F2 45 93 D3 D3 5C EE 0C F0 6D 44 1B 71 A6 1A A0 .E...\...mD.q...
0x0130: 8A 7D 63 AB AC 4F CF 00 00 9E C0 30 C0 2C C0 32 .}c..O.....0.,.2
0x0140: C0 2E C0 2F C0 2B C0 31 C0 2D 00 A5 00 A3 00 A1 .../.+.1.-......
0x0150: 00 9F 00 A4 00 A2 00 A0 00 9E C0 28 C0 24 C0 14 ...........(.$..
0x0160: C0 0A C0 2A C0 26 C0 0F C0 05 00 6B 00 6A 00 69 ...*.&.....k.j.i
0x0170: 00 68 00 39 00 38 00 37 00 36 C0 27 C0 23 C0 13 .h.9.8.7.6.'.#..
0x0180: C0 09 C0 29 C0 25 C0 0E C0 04 00 67 00 40 00 3F ...).%.....g.@.?
0x0190: 00 3E 00 33 00 32 00 31 00 30 C0 12 C0 08 C0 0D .>.3.2.1.0......
0x01A0: C0 03 00 88 00 87 00 86 00 85 00 45 00 44 00 43 ...........E.D.C
0x01B0: 00 42 00 16 00 13 00 10 00 0D 00 9D 00 9C 00 3D .B.............=
0x01C0: 00 35 00 3C 00 2F 00 84 00 41 00 0A C0 11 C0 07 .5.<./...A......
0x01D0: C0 0C C0 02 00 05 00 FF 02 01 00 01 34 00 0B 00 ............4...
0x01E0: 04 03 00 01 02 00 0A 00 3A 00 38 00 0E 00 0D 00 ........:.8.....
0x01F0: 19 00 1C 00 0B 00 0C 00 1B 00 18 00 09 00 0A 00 ................
0x0200: 1A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
0x0210: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
0x0220: 10 00 11 00 23 00 00 00 0D 00 20 00 1E 06 01 06 ....#..... .....
0x0230: 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 ................
0x0240: 01 03 02 03 03 02 01 02 02 02 03 00 0F 00 01 01 ................
0x0250: 00 15 00 BD 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0310: 00 16 03 03 00 07 0B 00 00 03 00 00 00 16 03 03 ................
0x0320: 00 46 10 00 00 42 41 04 09 7D 68 14 28 90 1E 4B .F...BA..}h.(..K
0x0330: FB D1 12 E0 B1 5E B7 89 B5 49 31 BB A3 C7 4A FA .....^...I1...J.
0x0340: 87 DB D1 BE 3A E6 F8 9D ED 57 CA 32 D3 BF DC 94 ....:....W.2....
0x0350: EC 3E EA BC 51 3C 70 3E 59 F7 AE 05 D2 66 34 99 .>..Q<p>Y....f4.
0x0360: 2F 03 D1 A0 A0 8D 2F 22 14 03 03 00 01 01 16 03 /...../"........
0x0370: 03 00 28 BC 46 F6 8E 10 78 3E 0B BF 14 C1 E5 A3 ..(.F...x>......
0x0380: C0 3F 0E 1C 83 50 0A 61 6B A8 3E 6D B4 A2 C2 22 .?...P.ak.>m..."
0x0390: 51 19 DA 79 13 C3 1F 2D CC 11 3B 17 03 03 00 99 Q..y...-..;.....
0x03A0: BC 46 F6 8E 10 78 3E 0C 2C C7 36 8A C6 46 37 0E .F...x>.,.6..F7.
0x03B0: 45 7E 5C EE 11 2A E0 29 39 F6 98 85 36 9C 4B D6 E~\..*.)9...6.K.
0x03C0: FD 5D 44 81 A3 93 21 39 BF 41 13 56 53 36 BD 47 .]D...!9.A.VS6.G
0x03D0: 5E 2A 67 3F 8B 7B 54 9F BF 83 4D A7 03 01 D2 A7 ^*g?.{T...M.....
0x03E0: 95 99 B8 E1 DF 01 49 BB 15 5B AF 65 4A 24 D9 30 ......I..[.eJ$.0
0x03F0: 42 1C 39 BF 6E 43 5A 28 C6 8F 4F CB 16 A6 87 BA B.9.nCZ(..O.....
0x0400: 64 EB C4 B1 03 08 A3 DD 8D 04 64 65 4C 4F FB AA d.........deLO..
0x0410: 02 0D BE B7 82 FC 50 D7 45 D5 F1 CC FA B1 C0 FF ......P.E.......
0x0420: CC 37 98 6A 2D D9 1E B1 14 E0 7F B8 0D 15 B9 C2 .7.j-...........
0x0430: 3D 73 EE BD 39 A9 CA BE 42 17 03 03 00 5E BC 46 =s..9...B....^.F
0x0440: F6 8E 10 78 3E 0D 5A D5 66 8D 9D F8 1C 7C AD 42 ...x>.Z.f....|.B
0x0450: 49 43 69 B3 7C 0C 4C 5E 8E 84 13 61 8E A7 1C 0D ICi.|.L^...a....
0x0460: 66 1D 93 81 01 BC FC 22 5D 39 47 D4 47 29 66 A8 f......"]9G.G)f.
0x0470: 6F 7C C4 9A B6 5C 16 6F 9B 4C 58 92 28 D3 40 C0 o|...\.o.LX.(.@.
0x0480: 9B BE CD 4B F4 57 AF 9E FF 56 28 FC 31 EB CF 49 ...K.W...V(.1..I
0x0490: E8 72 D0 7E 56 B3 40 29 F8 4B E3 AC 17 03 03 00 .r.~V.@).K......
0x04A0: 96 BC 46 F6 8E 10 78 3E 0E 3E 12 2B C6 09 1E 9C ..F...x>.>.+....
0x04B0: C7 50 25 AA E8 3C 80 5F 1B 12 19 6C D1 D6 CA 38 .P%..<._...l...8
0x04C0: 29 F6 40 A6 9A 10 9C 8B E1 34 99 AE 11 CE E2 D5 ).@......4......
0x04D0: 79 84 4C C8 2D 9A D8 87 D9 35 20 63 2C CD 5F E1 y.L.-....5 c,._.
0x04E0: 4D 2C AB E0 D6 9B 50 A1 B3 7E 94 D4 A5 87 2F B5 M,....P..~..../.
0x04F0: 66 9B 3A FE CA 31 17 C9 C4 A1 50 53 75 C9 B1 16 f.:..1....PSu...
0x0500: 99 2E F6 CE 35 EF B2 DE 78 F8 23 E4 9C BE 2E 1D ....5...x.#.....
0x0510: 4C 41 6C 2F 25 F4 D8 19 3E 4C EE DD 04 72 9D 72 LAl/%...>L...r.r
0x0520: 4B 16 C5 5F 08 90 F3 C4 B7 AA 5A DD 83 54 6D F9 K.._......Z..Tm.
0x0530: EF D7 D9 3C 4A 94 42 17 03 03 00 7C BC 46 F6 8E ...<J.B....|.F..
0x0540: 10 78 3E 0F 32 9C CB 7A FF B5 88 2E 97 9F 24 F5 .x>.2..z......$.
0x0550: 27 3B 5D FE E6 42 1B 7F 65 7E 9B 70 AB B0 61 D3 ';]..B..e~.p..a.
0x0560: B4 96 F4 80 07 79 9B 9C 3A F5 EF 7D 7D E3 1D 5E .....y..:..}}..^
0x0570: 75 4D 2C 1F EC B3 A5 12 E5 46 28 4D 05 65 0C E3 uM,......F(M.e..
0x0580: FC 5E CF 34 55 3D BC 06 A7 3C A6 55 73 E2 79 39 .^.4U=...<.Us.y9
0x0590: 1D 3E 9D 71 55 73 D9 AF ED 2B 20 A4 45 28 5F A8 .>.qUs...+ .E(_.
0x05A0: DC 56 00 98 F9 45 B8 9A 38 13 DB D2 4B 86 2F B2 .V...E..8...K./.
0x05B0: AB 34 97 F9 7E 46 95 78 17 03 03 00 61 BC 46 F6 .4..~F.x....a.F.
0x05C0: 8E 10 78 3E 10 57 EB FA 58 9E 36 17 AE C2 A7 D5 ..x>.W..X.6.....
0x05D0: 67 3F 9A 48 BB 65 1A 14 6A 92 C8 D4 A0 02 39 40 g?.H.e..j.....9@
0x05E0: EA 26 58 06 52 E0 78 34 A4 18 BC 24 A8 9E 4F 88 .&X.R.x4...$..O.
0x05F0: 23 5D B5 60 F8 4D C2 B2 CF 00 81 8F E3 2B 47 B6 #].`.M.......+G.
0x0600: CC 37 31 2D 25 BB D3 C2 E9 0F 32 D4 54 15 6B B5 .71-%.....2.T.k.
0x0610: 0D 63 FA F2 9C 25 85 40 46 E1 7E A0 3B 85 17 03 .c...%.@F.~.;...
0x0620: 03 00 6A BC 46 F6 8E 10 78 3E 11 3E 20 DF 1C B6 ..j.F...x>.> ...
0x0630: E0 6B 25 FF F7 13 92 3E 00 E7 A8 0B E2 8A ED 41 .k%....>.......A
0x0640: DE 7E 7C 7F 64 EF CF 46 20 93 03 1E 91 EF 31 48 .~|.d..F .....1H
0x0650: 66 21 7F 9C 99 11 1F 0C C9 62 3D A4 2F BC 72 F2 f!.......b=./.r.
0x0660: B2 EB 14 48 9C C2 ED 1A 68 E5 8E CE 31 ED FD A5 ...H....h...1...
0x0670: 60 38 0B 19 A1 38 C5 A6 24 2E 52 A2 30 18 3B 58 `8...8..$.R.0.;X
0x0680: 22 90 75 18 BE FB CD 7D 40 DE 97 20 9E 17 03 03 ".u....}@.. ....
0x0690: 00 5E BC 46 F6 8E 10 78 3E 12 65 66 BE DD 86 BE .^.F...x>.ef....
0x06A0: 61 81 34 43 0A 08 E0 1D 08 85 E7 BF 44 0A E4 28 a.4C........D..(
0x06B0: FE 80 16 73 77 1D AD 53 DE 9F A7 79 BC 54 34 A7 ...sw..S...y.T4.
0x06C0: E7 FD 27 E4 8E E6 9F 2F 08 99 D5 5C 6E E6 D4 A8 ..'..../...\n...
0x06D0: 80 1D 26 3E 85 0D 6C BF 2E E3 4A F4 FF FE 52 FF ..&>..l...J...R.
0x06E0: 27 CC 63 D6 E8 C0 61 A3 5D E6 30 51 18 78 F4 41 '.c...a.].0Q.x.A
0x06F0: 17 03 03 00 28 BC 46 F6 8E 10 78 3E 13 37 FA 11 ....(.F...x>.7..
0x0700: 5A 81 54 B8 4D 95 4B 71 7A 60 1F 5E 1B CF 84 03 Z.T.M.Kqz`.^....
0x0710: D6 09 C4 B3 D2 AB 2A ED 5C 86 7B 6F 19 ......*.\.{o.
I'd be curious what other details you can provide about this issue and it's resolution. It is my understanding that using the "dsize" keyword will force a rule to not be applied against reassembled streams (except if PAF is enabled and supported then it is applied against the PDU). I sugest a similar solution to this issue but not make an exception for PAF. 

Thanks!

-Mike Cox




------------------------------------------------------------------------------


_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: