[Snort-devel] Bug in Snort 2.0

Tom Danielsen tom at ...1966...
Fri May 2 18:53:17 EDT 2003


We have experienced a lot of false positives after upgrading
to Snort 2.0, regarding these SID's :

    1549, rev 9     (smtp HELO overflow)
    1838, rev 4     (ssh banner overflow)

These signatures look for HELO (and SSH-) packets that does
not contain a LF within a few hundred bytes.

What happens is that by the time the packet is run thrugh the
rules the packet has been truncated (and otherwise modified)
so the LF is no longer present in the packet, and an alarm is
generated.

The problem seems to be within one of the preprocessors; when
we run two parallel Snort instances on the same machine, one
with preprocessors and one with no preprocessors, only the one
with the preprocessors enabled logges alarms.

preprocessor config :

preprocessor frag2: ttl_limit 0, memcap 33554432, timeout 240,
detect_state_problems preprocessor stream4: memcap 536870912, ttl_limit
0, detect_scans, disable_evasion_alerts, log_flushed_streams
preprocessor stream4_reassemble: both, ports all
preprocessor http_decode: 80 3128 8080 8000 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace preprocessor rpc_decode:
111 32771
preprocessor telnet_decode

packets :

On the snort sensor
===================

$ tcpdump -r helo-snort.log -vvv -X -x -s 0 -n port 40227 and host SERVER
16:26:35.361570 CLIENT.40227 > SERVER.25: P [bad tcp cksum a237!] 3059831023:3059831032(9) ack 2672294989
win 24840 [tos 0x10]  (ttl 240, id 0, len 49, bad cksum 0!)
0x0000   4510 0031 0000 0000 f006 0000 *CLI ENT*        E..1............
0x0010   *SER VER* 9d23 0019 b661 50ef 9f47 fc4d        .....#...aP..G.M
0x0020   5018 6108 0000 0000 4845 4c4f 20** ****        P.a.....HELO.abc
0x0030   **                                             d

On the snort sensor, w/o preprocessors
======================================

$ tcpdump -r helo-tcpdump-snort.log -vvv -X -x -s 0 -n port 40227 and host CLIENT
16:26:35.134816 CLIENT.40227 > SERVER.25: P [tcp sum ok] 1:18(17) ack 38 win 9660 (DF) (ttl 255, id 44122,
len 57)
0x0000   4500 0039 ac5a 4000 ff06 90d7 *CLI ENT*        E..9.Z at ...1227...
0x0010   *SER VER* 9d23 0019 9f47 e734 b661 5085        .....#...G.4.aP.
0x0020   5018 25bc 7b0b 0000 4845 4c4f 20** ****        P.%.{...HELO.abc
0x0030   **** **** **** **0d 0a                         defghij..

Note:

- the packet, as captured without preprocessors, looks normal
  (not long, ends in CRLF).
- the sequence (SEQ/ACK) numbers seems to be swapped, but are
  not equal (b66150ef,9f47fc4d vs 9f47e734,b6615085).
- TOS set in packet (it is really not).
- length is wrong.
- IP id is 0000 -> wrong.
- TTL is 240 -> wrong.
- checksum is 0000 -> wrong.
- TCP window is different.
- TCP checksum is 0000 -> wrong.


The machine is running FreeBSD 4.8.


regards,
    Tom Danielsen



-- 
Tom Danielsen, tom at ...1966..., http://mnemonic.no/~tom/, +47 909 57 202
mnemonic as, http://mnemonic.no/, +47 22 999 700




More information about the Snort-devel mailing list