[Snort-devel] New detection engine: uninvited packets

guano at ...2048... guano at ...2048...
Sun Jun 22 10:23:02 EDT 2003


Hi,

I have just finished testing a new detection engine for snort.
It checks for "uninvited" network traffic.
Rather than posting all the source code to the newsgroup, I have
uploaded it to my web site:
  http://www.hackerfactor.com/
  Select "Public Projects"
  Select "Snort uninvited detection engine"
You can download the snort.uninvited.tar.Z there, and also find
installation and usage instructions.
(Sorry for the round-about download method, but it cuts down on spam.)

What is the "uninvited" detection engine?
The "uninvited" detection engine looks for any inbound packets that are not
part of a reply.  It is intended for use outside a low-volume firewall, such
as a DSL or Cable modem.  In this low-volume situation, there should be few
network sessions that initiate outside of the firewall.  Rather, requests
generally initiate from within the firewall, and then remote systems reply
to the requests.  These replies are "invited" by the local host.  In
contrast, if the initial packet (request) comes from outside the firewall,
then the packet and entire session is "uninvited". 

Note: "uninvited" does not mean "unwelcome".  If you run a web server, then
you probably expect uninvited traffic on port 80/tcp. 

This detection engine works by tracking all source and destination IP
addresses, ports, and protocols (s/d/p/p), and comparing them with both
previously seen s/d/p/p and with the IP address (or subnet) of the host
system. 

- If neither source nor destination match the host system, then the traffic
  is uninvited.  On a cable, DSL, or regular modem, there should be no
  adjacent IP traffic on the line. 
- If s/d/p/p starts a session and originates from the host, then the entire
  session is "invited". 
- If s/d/p/p starts a session and originates from outside the host, then the
  entire session is "uninvited". 

The tracked sessions timeout after a period of inactivity. 
- A remote TCP.SYN request times out after 10 seconds.  This fast timeout
  prevents ports scans for consuming all tracked session ids.  In addition,
  the local system should be able to respond within 10 seconds.  For bigger
  servers, this timeout could be reduced to 2 seconds. (There is a slack of
  0.9 seconds in the timings.) 
- A local TCP.SYN request times out after 30 seconds.  This slow timeout
  assumes that the external network connection could be slow. 
- An established TCP session (SYN,ACK and ACKs after the initial SYN) timeout
  after 30 minutes.  For long idle sessions, you may wish to increase this
  time. 
- A TCP session changes to a 30 seconds timeout after a TCP.FIN or TCP.RST
  are observed. 
- A non-TCP session (e.g., UDP or ICMP) timeout after 5 minutes. 
  In addition, since ICMP packets may be in reply to a UDP or TCP request,
  the system will match these ICMP packets (e.g., ICMP host unreachable or
  TTL expired) with established TCP/UDP tracked sessions.

I am open to feedback and comments on this engine.
(And if there is a better way to post new engines, please let me know.)

					-guano

ps. I am posting this to snort-devel at the suggestions of Erek Adams.





More information about the Snort-devel mailing list