[Snort-devel] new plugin for rules based on stream offset

Andreas Östling andreaso at ...387...
Sun Aug 4 08:55:02 EDT 2002


On Tue, 30 Jul 2002, Chris Green wrote:
...
> > always says the rebuilt stream is from the client, even when it
> > clearly prints out a rebuilt stream with output from the server.
> > On non-rebuilt packets, the PKT_FROM_SERVER/CLIENT is always correct.
>
> Ahh ok. I see the problem. You are right.  packet_flags should inherit
> from the packet it just ran through for stream assmebler.
>
> committing changes now.

Unfortunately, I still have problems even with those changes applied.
I think I've got it worked out now though.

When using the latest cvs checkout and testing some ftp using a snort.conf
with only "preprocessor spp_stream4" and "preprocessor
stream4_reassemble", this is what I get:

...
spp_stream4.c:3401: Built packet with 25 byte payload, Direction:
from_server
spp_stream4.c:3415: packet is from server!
08/04-16:32:02.049344 127.0.0.1:23547 -> 127.0.0.1:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:65
***AP*** Seq: 0x7E9A430F  Ack: 0x5A6519BB  Win: 0x7FE8  TcpLen: 20
55 53 45 52 20 61 6E 6F 6E 79 6D 6F 75 73 0A 53  USER anonymous.S
59 53 54 0A 51 55 49 54 0A                       YST.QUIT.


This is clearly wrong since it's obviously not stuff from the server.

And similar when reassembling both sides:

...
spp_stream4.c:3401: Built packet with 130 byte payload, Direction:
from_server
spp_stream4.c:3415: packet is from server!
08/04-16:35:08.126807 127.0.0.1:21 -> 127.0.0.1:44969
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:170
***AP*** Seq: 0x2B7B4124  Ack: 0x444F2948  Win: 0x7FE8  TcpLen: 20
32 32 30 20 66 6F 6F 20 46 54 50 20 73 65 72 76  220 foo FTP serv
65 72 20 28 56 65 72 73 69 6F 6E 20 36 2E 35 2F  er (Version 6.5/
4F 70 65 6E 42 53 44 29 20 72 65 61 64 79 2E 0D  OpenBSD) ready..
0A 35 33 30 20 55 73 65 72 20 61 6E 6F 6E 79 6D  .530 User anonym
6F 75 73 20 75 6E 6B 6E 6F 77 6E 2E 0D 0A 35 33  ous unknown...53
30 20 50 6C 65 61 73 65 20 6C 6F 67 69 6E 20 77  0 Please login w
69 74 68 20 55 53 45 52 20 61 6E 64 20 50 41 53  ith USER and PAS
53 2E 0D 0A 32 32 31 20 47 6F 6F 64 62 79 65 2E  S...221 Goodbye.
0D 0A                                            ..

...

spp_stream4.c:3401: Built packet with 25 byte payload, Direction:
from_server
spp_stream4.c:3415: packet is from server!
08/04-16:35:08.126807 127.0.0.1:44969 -> 127.0.0.1:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:65
***AP*** Seq: 0x2B7B4124  Ack: 0x444F2948  Win: 0x7FE8  TcpLen: 20
55 53 45 52 20 61 6E 6F 6E 79 6D 6F 75 73 0A 53  USER anonymous.S
59 53 54 0A 51 55 49 54 0A                       YST.QUIT.


Both are claimed to be from server.
If I got this right, I don't think it's correct that stream_pkt
should inherit the FROM_CLIENT/SERVER flags directly from p.
Just when the stream is rebuilt, I guess p here is the very last packet
in the stream, which in the example above is the server ACK'ing the
client's FIN. Since this packet is from the server, the rebuilt stream(s)
is (incorrectly) marked to be from server as well. When the client ends
the session, both streams are instead marked to be from client (since the
last packet will be the client ACK'ing the server's FIN).

Since sp/dp in stream_pkt are still correct, I'm thinking it's better to
check those values against the current session's client.port/server.port.
With the attached patch applied, the same tests now yields these results
(it also fixes so that DebugMessage() prints stream_pkt->packet_flags
instead of p->packet_flags, but that has nothing to do with the real
problem):

...
spp_stream4.c:3403: Built packet with 130 byte payload, Direction:
from_server
spp_stream4.c:3417: packet is from server!
08/04-16:57:39.004619 127.0.0.1:21 -> 127.0.0.1:33325
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:170
***AP*** Seq: 0x6B1B41CE  Ack: 0x1ECF72A0  Win: 0x7FE8  TcpLen: 20
32 32 30 20 66 6F 6F 20 46 54 50 20 73 65 72 76  220 foo FTP serv
65 72 20 28 56 65 72 73 69 6F 6E 20 36 2E 35 2F  er (Version 6.5/
4F 70 65 6E 42 53 44 29 20 72 65 61 64 79 2E 0D  OpenBSD) ready..
0A 35 33 30 20 55 73 65 72 20 61 6E 6F 6E 79 6D  .530 User anonym
6F 75 73 20 75 6E 6B 6E 6F 77 6E 2E 0D 0A 35 33  ous unknown...53
30 20 50 6C 65 61 73 65 20 6C 6F 67 69 6E 20 77  0 Please login w
69 74 68 20 55 53 45 52 20 61 6E 64 20 50 41 53  ith USER and PAS
53 2E 0D 0A 32 32 31 20 47 6F 6F 64 62 79 65 2E  S...221 Goodbye.
0D 0A                                            ..

...

spp_stream4.c:3403: Built packet with 25 byte payload, Direction:
from_client
spp_stream4.c:3412: packet is from client!
08/04-16:57:39.004619 127.0.0.1:33325 -> 127.0.0.1:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:65
***AP*** Seq: 0x6B1B41CE  Ack: 0x1ECF72A0  Win: 0x7FE8  TcpLen: 20
55 53 45 52 20 61 6E 6F 6E 79 6D 6F 75 73 0A 53  USER anonymous.S
59 53 54 0A 51 55 49 54 0A                       YST.QUIT.


This is more like it, and it works regardless of who ends the session.
I may have overlooked other things, but this works for me so far.

Regards,
Andreas Östling
-------------- next part --------------
--- spp_stream4.c.org	Sun Aug  4 16:55:31 2002
+++ spp_stream4.c	Sun Aug  4 17:17:03 2002
@@ -3279,6 +3279,7 @@
 void BuildPacket(Stream *s, u_int32_t stream_size, Packet *p, int direction)
 {
     BuildData bd;
+    Session *ssn;
     
     stream_pkt->pkth->ts.tv_sec = p->pkth->ts.tv_sec;
     stream_pkt->pkth->ts.tv_usec = p->pkth->ts.tv_usec;
@@ -3384,21 +3385,22 @@
     stream_pkt->tcp_lastopt_bad = 0;
     stream_pkt->packet_flags = (PKT_REBUILT_STREAM|PKT_STREAM_EST);
 
-    if(p->packet_flags & PKT_FROM_SERVER)
+    ssn = p->ssnptr;
+
+    if(stream_pkt->sp == ssn->client.port)
     {
-        stream_pkt->packet_flags |= PKT_FROM_SERVER;
+        stream_pkt->packet_flags |= PKT_FROM_CLIENT;
     }
-    
-    if(p->packet_flags & PKT_FROM_CLIENT)
+    else
     {
-        stream_pkt->packet_flags |= PKT_FROM_CLIENT;
+        stream_pkt->packet_flags |= PKT_FROM_SERVER;
     }
     
     DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
                             "Built packet with %u byte payload, "
                             "Direction: %s\n",
                             stream_pkt->dsize,
-                            (p->packet_flags & PKT_FROM_SERVER) ? "from_server" : "from_client"););
+                            (stream_pkt->packet_flags & PKT_FROM_SERVER) ? "from_server" : "from_client"););
 
     pc.rebuilt_tcp++;
 


More information about the Snort-devel mailing list