[Snort-devel] incorrect TCP RST handling.

Shai Rubin shai at ...1503...
Tue Sep 2 05:43:24 EDT 2003

I believe that SNORT has a bug in how it handles RST TCP packets.

The attached tcpdump illustrates how a RST packet can cause SNORT to flush a
stream and to miss an attack (finger-root in this case, reassembly was
activated on port 79 for this case).

When a  RST packet is a (fast) retransmission of a data packet that was
not acked yet, SNORT flushes the stream without waiting to see whether the
RST was accepted by the host.
The tcpdump attached is an example of such a case. The first RST packet in
the dump causes SNORT to flush the stream (and to miss the attack).

Note that most hosts will NOT accept the RST packet (see Paxson paper
IEEE-security 2003).

I also believe that the fix is simple , as shown below.

/tmp>diff spp_stream4.c snort-2.0.1/src/preprocessors/spp_stream4.c
<     static StreamPacketData spd;
<     spd.seq_num = pkt_seq;
<     // Do not return 1 so fast. This RST might be a retransmission of data
<     // that was not acked yet.
<     // If it is, most hosts will reject the RST. Future work should
<     // this further.
<     if (ubi_sptFind(&s->data,(ubi_btItemPtr)(&spd)))
<       return 0;
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snortReport.txt
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030902/da062984/attachment.txt>

More information about the Snort-devel mailing list