[Snort-devel] Header mixup Bug in Snort 2.0?

Erik Norman carl_erik.norman at ...2033...
Mon Jun 16 12:30:11 EDT 2003


Hi all,

This issue has been confirmed as a bug with Snort2.0, but *not* with Snort
current (b087). So unless anyone wants to dig deeper, I leave it at that.
Thanks to rmkml at ...1042... for help, input, and commitment to Snort.


For the curious:

I isolated a tcpdump file containing two tcp sessions. When testing the two
sessions separately, no alarm was triggered. When testing the two in the
same file, several alarms of the same type (uid=...) were triggered. Not
good :-)

The bug was verified to exist on two different plattforms (Linux 2.2.16 &
NetBSD 1.6.1). Regrettely, I can not send/publish the raw data.




Thank you for Snort, guys.


/E

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Erik Norman
> Sent: den 12 juni 2003 14:46
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Header mixup Bug in Snort 2.0?
> 
> 
> 
> Hi all,
> 
> I've run across some faulty reporting, where a certain packet 
> correctly generates an alarm, but where the header 
> information (IP, ports etc) are from another packet! It's a 
> Bad Thing. Since i'm also have a complete tcpdump log of 
> everything, i feel rather sure what i'm talking about.
> 
> I'm administrating the IDS for a customer, so I have the need 
> to strictly anonymize the data, but will try to help however I can.
> 
> All details can be found below.
> 
> Now what? (Personal-brain-dump: old Libpcap version, strange home-net
> definition...)
> 
> 
> 
> BTW, Snort rocks :-)
> 
> /Erik Norman
> 
> 
> 
> Setup:
> ------
> Snort 2.0 on NetBSD 1.6.1
> Tcpdump 3.7.1
> Libpcap 0.4
> 
> Rule in question:
> -----------------
> alert ip $HOME_NET any -> $EXTERNAL_NET !80 (msg:"Backdoor 
> indication, id check returned userid"; content:"uid="; 
> byte_test:5,<,65537,0,relative,string; 
> classtype:backdoor-indication; sid:1882; rev:4;)
> 
> Note that it's a rule from snort-current, but with altered 
> classification.
> 
> 
> Notation:
> ---------
> IP A1 and A2 are internal Addresses ($HOME_NET) and IP B and 
> C are two, different, external addresses. Both B and C appear 
> in normal communication from the company in question.
> 
> 
> Reported alarm, from the file /var/log/snort/B.B.B.11/TCP\:3152-25:
> -------------------------------------------------------------------
> [**] Backdoor indication, id check returned userid [**] 
> 06/11-10:23:42.329705 A1.A1.A1.204:3152 -> B.B.B.11:25 TCP 
> TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:658
> ***AP*** Seq: 0x3959F78C  Ack: 0xED87141A  Win: 0xFAF0  
> TcpLen: 20 47 45 54 20 2F 63 6F 6D 6D 75 6E 69 74 79 2F 73  
> GET /community/s 70 65 6C 2F 69 6D 61 67 65 73 2F 72 61 6E 6B 
> 5F  pel/images/rank_ 31 2E 67 69 66 20 48 54 54 50 2F 31 2E 
> 31 0D 0A  1.gif HTTP/1.1.. 41 63 63 65 70 74 3A 20 2A 2F 2A 
> 0D 0A 52 65 66  Accept: */*..Ref 65 72 65 72 3A 20 68 74 74 
> 70 3A 2F 2F 74 76 34  erer: http://tv4 2E 73 65 2F 63 6F 6D 
> 6D 75 6E 69 74 79 2F 73 70  .se/community/sp 65 6C 2F 75 73 
> 65 72 69 6E 66 6F 2E 61 73 70 78  el/userinfo.aspx 3F 75 69 
> 64 3D 7B 32 46 33 36 32 41 35 36 2D 35  ?uid={2F362A56-5
> ---snip---
> 
> 
> And this is from tcpdump:
> -------------------------
> 
> 10:23:42.304287 A2.A2.A2.1919 > C.C.C.132.www: . 1:1461(1460) 
> ack 1 win 8760
> (DF)
> 0x0000   4500 05dc ea1c 4000 7f06 0372 7e01 05f9        
> E..... at ...2029...~...
> 0x0010   930e f184 077f 0050 006f a0e3 d2cd 744f        
> .......P.o....tO
> 0x0020   5010 2238 c34f 0000 4745 5420 2f63 6f6d        
> P."8.O..GET./com
> 0x0030   6d75 6e69 7479 2f73 7065 6c2f 696d 6167        
> munity/spel/imag
> 0x0040   6573 2f72 616e 6b5f 312e 6769 6620 4854        
> es/rank_1.gif.HT
> 0x0050   5450 2f31 2e31 0d0a 4163 6365 7074 3a20        
> TP/1.1..Accept:.
> 0x0060   2a2f 2a0d 0a52 6566 6572 6572 3a20 6874        
> */*..Referer:.ht
> 0x0070   7470 3a2f 2f74 7634 2e73 652f 636f 6d6d        
> tp://tv4.se/comm
> 0x0080   756e 6974 792f 7370 656c 2f75 7365 7269        
> unity/spel/useri
> 0x0090   6e66 6f2e 6173 7078 3f75 6964 3d7b 3246        
> nfo.aspx?uid={2F
> --snip --
> 
> 
> 
> Snort.conf
> ----------
> var HOME_NET X.X.0.0/21 X.X.8.0/24
> var EXTERNAL_NET !$HOME_NET
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> var AIM_SERVERS 
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.1
> 2.29.0/24,64.1
> 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> var RULE_PATH .
> preprocessor frag2
> preprocessor stream4: detect_scans, disable_evasion_alerts 
> preprocessor stream4_reassemble preprocessor http_decode: 80 
> unicode iis_alt_unicode double_encode iis_flip_slash 
> full_whitespace preprocessor bo: -nobrute preprocessor 
> telnet_decode preprocessor portscan: $HOME_NET 4 3 
> portscan.log preprocessor portscan-ignorehosts: [ --usual 
> hosts snipped----] preprocessor conversation: 
> allowed_ip_protocols all, timeout 60, max_conversations 32000 
> output alert_syslog: LOG_LOCAL4 include classification.config 
> include reference.config include $RULE_PATH/bad-traffic.rules 
> include $RULE_PATH/exploit.rules include 
> $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include 
> $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include 
> $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules 
> include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules 
> include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules 
> include $RULE_PATH/web-cgi.rules include 
> $RULE_PATH/web-coldfusion.rules include 
> $RULE_PATH/web-iis.rules include 
> $RULE_PATH/web-frontpage.rules include 
> $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules 
> include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules 
> include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules 
> include $RULE_PATH/netbios.rules include 
> $RULE_PATH/misc.rules include 
> $RULE_PATH/attack-responses.rules include 
> $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules 
> include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules 
> include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules 
> include $RULE_PATH/nntp.rules include 
> $RULE_PATH/other-ids.rules include 
> $RULE_PATH/web-attacks.rules include 
> $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules 
> include $RULE_PATH/policy.rules include $RULE_PATH/chat.rules 
> include $RULE_PATH/multimedia.rules include 
> $RULE_PATH/p2p.rules include $RULE_PATH/local.rules
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: eBay
> Great deals on office technology -- on eBay now! Click here: 
> http://adfarm.mediaplex.com/ad/ck/711-11697-> 6916-5
> 
> _______________________________________________
> 
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/s> nort-devel
> 





More information about the Snort-devel mailing list