[Snort-devel] Critical rule application bug in snort v2.0.0

Martin Olsson elof at ...969...
Fri May 16 05:54:05 EDT 2003


(I didn't use the bug-tracking-system at sourceforge for this report since
it contain too much configuration information...)


With the snort.conf added at the end of this message I get two
reproduceable errors.

1. The first rule in memory does not trigger
When starting snort it should have 49 rules in memory with the first one
being "Offset 4", the second "Offset 5" and so on.
When a packet containing |22332233| is recieved the first rule should
trigger. It isn't! It is the second rule ("Offset 5") that triggers.

Machine A:    10.0.0.52
Snort-sensor: 10.0.0.53

On machine A:
ping -c 1 -p ffffffffff22332233ffff22332233afffffff 10.0.0.53

Logfile on snort-sensor:
05/16-13:52:20.894149  [**] [1:1000005:1] Offset 5 [**] [Classification:
Misc activity] [Priority: 3] {ICMP} 10.0.0.52 -> 10.0.0.53
05/16-13:52:20.894344  [**] [1:1000005:1] Offset 5 [**] [Classification:
Misc activity] [Priority: 3] {ICMP} 10.0.0.53 -> 10.0.0.52

We see the echo-request is logged as "Offset 5"
We see the echo-reply is also logged as "Offset 5"
They should be "Offset 4".

-----------------------------

2. Wrong order of rules with custom ruletype
If you modify the rules with offset 10 to 16 to use "alert2" instead of
"alert", restart snort and ping again you get:

Rule application order: ->activation->dynamic->alert->pass->log->alert2

snort.alert:
<Nothing is logged>

snort.alert2:
05/16-14:35:26.770028  [**] [1:1000016:1] Offset 16 [**] [Classification:
Misc activity] [Priority: 3] {ICMP} 10.0.0.52 -> 10.0.0.53
05/16-14:35:26.770255  [**] [1:1000016:1] Offset 16 [**] [Classification:
Misc activity] [Priority: 3] {ICMP} 10.0.0.53 -> 10.0.0.52

Given that "alert2" is put last in the list, shouldn't the packet have
matched the first "alert" rule and hence been logged to snort.alert as
"Offset 4" ("Offset 5" with the bug described above)?
BTW, 16? Are the "alert2" rules added in reverse order or what?


Now, add the following line after the ruletype-definition
  config order: alert2 pass activation dynamic alert log
Restart snort and ping again:
Now snort.alert2 have logged two "Offset 11". This is correct except for
the bug described above. It should be "Offset 10", but at least it's
logged in the correct file this time.

------

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /usr/sentor/lib
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output alert_fast: snort.alert
include /usr/sentor/etc/snort-classification.config
include /usr/sentor/etc/snort-reference.config
ruletype alert2
{
  type alert
  output alert_fast: snort.alert2
}
alert icmp any any -> any any (msg:"Offset 4"; content: "|22332233|";
offset: 4; classtype:misc-activity; sid:1000004; rev:1;)
alert icmp any any -> any any (msg:"Offset 5"; content: "|22332233|";
offset: 5; classtype:misc-activity; sid:1000005; rev:1;)
alert icmp any any -> any any (msg:"Offset 6"; content: "|22332233|";
offset: 6; classtype:misc-activity; sid:1000006; rev:1;)
alert icmp any any -> any any (msg:"Offset 7"; content: "|22332233|";
offset: 7; classtype:misc-activity; sid:1000007; rev:1;)
alert icmp any any -> any any (msg:"Offset 8"; content: "|22332233|";
offset: 8; classtype:misc-activity; sid:1000008; rev:1;)
alert icmp any any -> any any (msg:"Offset 9"; content: "|22332233|";
offset: 9; classtype:misc-activity; sid:1000009; rev:1;)
alert icmp any any -> any any (msg:"Offset 10"; content: "|22332233|";
offset: 10; classtype:misc-activity; sid:1000010; rev:1;)
alert icmp any any -> any any (msg:"Offset 11"; content: "|22332233|";
offset: 11; classtype:misc-activity; sid:1000011; rev:1;)
alert icmp any any -> any any (msg:"Offset 12"; content: "|22332233|";
offset: 12; classtype:misc-activity; sid:1000012; rev:1;)
alert icmp any any -> any any (msg:"Offset 13"; content: "|22332233|";
offset: 13; classtype:misc-activity; sid:1000013; rev:1;)
alert icmp any any -> any any (msg:"Offset 14"; content: "|22332233|";
offset: 14; classtype:misc-activity; sid:1000014; rev:1;)
alert icmp any any -> any any (msg:"Offset 15"; content: "|22332233|";
offset: 15; classtype:misc-activity; sid:1000015; rev:1;)
alert icmp any any -> any any (msg:"Offset 16"; content: "|22332233|";
offset: 16; classtype:misc-activity; sid:1000016; rev:1;)
alert icmp any any -> any any (msg:"Offset 17"; content: "|22332233|";
offset: 17; classtype:misc-activity; sid:1000017; rev:1;)
alert icmp any any -> any any (msg:"Offset 18"; content: "|22332233|";
offset: 18; classtype:misc-activity; sid:1000018; rev:1;)
alert icmp any any -> any any (msg:"Offset 19"; content: "|22332233|";
offset: 19; classtype:misc-activity; sid:1000019; rev:1;)
alert icmp any any -> any any (msg:"Offset 20"; content: "|22332233|";
offset: 20; classtype:misc-activity; sid:1000020; rev:1;)
alert icmp any any -> any any (msg:"Offset 21"; content: "|22332233|";
offset: 21; classtype:misc-activity; sid:1000021; rev:1;)
alert icmp any any -> any any (msg:"Offset 22"; content: "|22332233|";
offset: 22; classtype:misc-activity; sid:1000022; rev:1;)
alert icmp any any -> any any (msg:"Offset 23"; content: "|22332233|";
offset: 23; classtype:misc-activity; sid:1000023; rev:1;)
alert icmp any any -> any any (msg:"Offset 24"; content: "|22332233|";
offset: 24; classtype:misc-activity; sid:1000024; rev:1;)
alert icmp any any -> any any (msg:"Offset 25"; content: "|22332233|";
offset: 25; classtype:misc-activity; sid:1000025; rev:1;)
alert icmp any any -> any any (msg:"Offset 26"; content: "|22332233|";
offset: 26; classtype:misc-activity; sid:1000026; rev:1;)
alert icmp any any -> any any (msg:"Offset 27"; content: "|22332233|";
offset: 27; classtype:misc-activity; sid:1000027; rev:1;)
alert icmp any any -> any any (msg:"Offset 28"; content: "|22332233|";
offset: 28; classtype:misc-activity; sid:1000028; rev:1;)
alert icmp any any -> any any (msg:"Offset 29"; content: "|22332233|";
offset: 29; classtype:misc-activity; sid:1000029; rev:1;)
alert icmp any any -> any any (msg:"Offset 30"; content: "|22332233|";
offset: 30; classtype:misc-activity; sid:1000030; rev:1;)
alert icmp any any -> any any (msg:"Offset 31"; content: "|22332233|";
offset: 31; classtype:misc-activity; sid:1000031; rev:1;)
alert icmp any any -> any any (msg:"Offset 32"; content: "|22332233|";
offset: 32; classtype:misc-activity; sid:1000032; rev:1;)
alert icmp any any -> any any (msg:"Offset 33"; content: "|22332233|";
offset: 33; classtype:misc-activity; sid:1000033; rev:1;)
alert icmp any any -> any any (msg:"Offset 34"; content: "|22332233|";
offset: 34; classtype:misc-activity; sid:1000034; rev:1;)
alert icmp any any -> any any (msg:"Offset 35"; content: "|22332233|";
offset: 35; classtype:misc-activity; sid:1000035; rev:1;)
alert icmp any any -> any any (msg:"Offset 36"; content: "|22332233|";
offset: 36; classtype:misc-activity; sid:1000036; rev:1;)
alert icmp any any -> any any (msg:"Offset 37"; content: "|22332233|";
offset: 37; classtype:misc-activity; sid:1000037; rev:1;)
alert icmp any any -> any any (msg:"Offset 38"; content: "|22332233|";
offset: 38; classtype:misc-activity; sid:1000038; rev:1;)
alert icmp any any -> any any (msg:"Offset 39"; content: "|22332233|";
offset: 39; classtype:misc-activity; sid:1000039; rev:1;)
alert icmp any any -> any any (msg:"Offset 40"; content: "|22332233|";
offset: 40; classtype:misc-activity; sid:1000040; rev:1;)
alert icmp any any -> any any (msg:"Offset 41"; content: "|22332233|";
offset: 41; classtype:misc-activity; sid:1000041; rev:1;)
alert icmp any any -> any any (msg:"Offset 42"; content: "|22332233|";
offset: 42; classtype:misc-activity; sid:1000042; rev:1;)
alert icmp any any -> any any (msg:"Offset 43"; content: "|22332233|";
offset: 43; classtype:misc-activity; sid:1000043; rev:1;)
alert icmp any any -> any any (msg:"Offset 44"; content: "|22332233|";
offset: 44; classtype:misc-activity; sid:1000044; rev:1;)
alert icmp any any -> any any (msg:"Offset 45"; content: "|22332233|";
offset: 45; classtype:misc-activity; sid:1000045; rev:1;)
alert icmp any any -> any any (msg:"Offset 46"; content: "|22332233|";
offset: 46; classtype:misc-activity; sid:1000046; rev:1;)
alert icmp any any -> any any (msg:"Offset 47"; content: "|22332233|";
offset: 47; classtype:misc-activity; sid:1000047; rev:1;)
alert icmp any any -> any any (msg:"Offset 48"; content: "|22332233|";
offset: 48; classtype:misc-activity; sid:1000048; rev:1;)
alert icmp any any -> any any (msg:"Offset 49"; content: "|22332233|";
offset: 49; classtype:misc-activity; sid:1000049; rev:1;)
alert icmp any any -> any any (msg:"Offset 50"; content: "|22332233|";
offset: 50; classtype:misc-activity; sid:1000050; rev:1;)
alert icmp any any -> any any (msg:"Offset 51"; content: "|22332233|";
offset: 51; classtype:misc-activity; sid:1000051; rev:1;)
alert icmp any any -> any any (msg:"Offset 52"; content: "|22332233|";
offset: 52; classtype:misc-activity; sid:1000052; rev:1;)

Martin Olsson
Sentor AB, Sweden





More information about the Snort-devel mailing list