[Snort-devel] Possible bug with 2.0.2: decoder masking fragroute traffic from stream4 preprocessor

Martin Roesch roesch at ...402...
Mon Sep 29 07:39:08 EDT 2003


Hi Allen,

The problem with enabling evasion_alerts is that it's very noisy in a 
lot of environments due to the number of things that look like evasions 
that are standard foibles of certain IP stacks.  Maybe we should 
reclassify it into "fragroute_attacks" and "stack_noise" or something 
(if we can break it out even that well).

As far as the decoders generating noise, I find that it's especially 
useful to turn off the decoder alerts if you don't want to know about 
every malformed packet that hits your network, depending on which 
corner of the net you live in it could be pretty noisy.

On another note, we're ramping for a beta release of our latest product 
this week at Sourcefire, so all of the Sourcefire-based Snort 
developers are very heads down right now, please give them a little 
breathing room for the next few days.

Thanks!

      -Marty


On Sunday, September 28, 2003, at 07:51 PM, Allen Harper wrote:

> Developers, on the below email, I now see the reason there is no 
> fragroute alert.  The snort.conf ships with the stream4 preprocessor 
> set to disable evasion alerts.  Are you guys aware that on a standard 
> install, now fragroute (and more importantly, the attacks it 
> represents) has come back to life.  See below. No responses to this 
> email chain so far, is this list working?
>
>  
>
> Developers,
>
> While working on a book for McGraw-Hill, I have been conducting some 
> testing of snort. When I looked at 1.8.7, it handled default fragroute 
> traffic well by the stream4 preprocessor sounding the alert “: 
> Multiple Acked Packets (possible fragroute)”. I may have found a 
> problem with 2.0.1&2. It seems that there are some changes in the 
> 2.0.1 that make the decoder fire “WARNING: TCP Data Offset is less 
> than 5!” which of course could mean lots of things besides 
> fragroute. It is much less descriptive and will probably be chalked up 
> as a false positive by an analyst… It looks like the decoder is 
> stealing the stream4 preprocessors thunder here.  Details follow:
>
>  
>
> Here is the problem:
>
> Both snorts 1.8.7 and 2.0.2 have default configs and rules. Using 
> default config for fragroute.
>
>  
>
> root at ...2207...[knoppix]# ping 10.10.10.33
>
> root at ...2207...[knoppix]# fragroute 10.10.10.33
>
> fragroute: tcp_seg -> ip_frag -> ip_chaff -> order -> print (starts 
> fragroute, then open another window for ftp session)
>
>  
>
> ftp10.10.10.33 (proceed to log-in, move to /etc subdir, get passwd, 
> then log out)
>
>  
>
> --------------------------
>
> snort1.8.7
>
>  
>
>  
>
> [**] [111:18:1] spp_stream4: Multiple Acked Packets (possible 
> fragroute)
>
> [**] 09/23-14:58:05.445121 10.10.10.102:33039 -> 10.10.10.33:21 TCP
>
> TTL:64 TOS:0x10 ID:26987 IpLen:20 DgmLen:53
>
> ***AP*** Seq: 0x1B4A6A08 Ack: 0x6EE8F32C Win: 0x16D0 TcpLen: 32 TCP
>
> Options (3) => NOP NOP TS: 33629416 62418991
>
>  
>
> [**] [111:18:1] spp_stream4: Multiple Acked Packets (possible 
> fragroute)
>
> [**] 09/23-14:58:05.445214 10.10.10.102:33039 -> 10.10.10.33:21 TCP
>
> TTL:64 TOS:0x10 ID:63939 IpLen:20 DgmLen:53
>
> ***AP*** Seq: 0x1B4A6A0A Ack: 0x6EE8F32C Win: 0x16D0 TcpLen: 32 TCP
>
> Options (3) => NOP NOP TS: 33629416 62418991
>
>  
>
> [**] [111:18:1] spp_stream4: Multiple Acked Packets (possible 
> fragroute)
>
> [**] 09/23-14:58:05.445094 10.10.10.102:33039 -> 10.10.10.33:21 TCP
>
> TTL:64 TOS:0x10 ID:3410 IpLen:20 DgmLen:53
>
> ***AP*** Seq: 0x1B4A6A0C Ack: 0x6EE8F32C Win: 0x16D0 TcpLen: 32 TCP
>
> Options (3) => NOP NOP TS: 33629416 62418991
>
>  
>
>  
>
> This is good...
>
>  
>
>  
>
> ------------------ snort 2.0.2
>
>  
>
> [**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 
> 5!
>
> [**] 09/23-15:02:13.783931 10.10.10.102:0 -> 10.10.10.33:0 TCP TTL:64
>
> TOS:0x10 ID:37117 IpLen:20 DgmLen:52
>
> *2U**R** Seq: 0x3330556E Ack: 0x50537257 Win: 0x374E TcpLen: 16
>
> UrgPtr: 0x75
>
> 30
>
>  
>
> [**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 
> 5!
>
> [**] 09/23-15:02:14.886738 10.10.10.102:0 -> 10.10.10.33:0 TCP TTL:64
>
> TOS:0x10 ID:37119 IpLen:20 DgmLen:52 *2***R*F Seq: 0x6B645039 Ack:
>
> 0x2B65597A Win: 0x4B79 TcpLen: 12
>
>  
>
> [**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 
> 5!
>
> [**] 09/23-15:02:14.888232 10.10.10.102:0 -> 10.10.10.33:0 TCP TTL:64
>
> TOS:0x10 ID:37120 IpLen:20 DgmLen:52
>
> *2U***S* Seq: 0x4B633332 Ack: 0x56583431 Win: 0x3373 TcpLen: 16
>
> UrgPtr: 0x37
>
> 57
>
>  
>
> thisis not good... looks like the decoder is stealing the thunder of
>
> thestream4 preprocessor... this can easily be chalked up as a
>
> falsepositive by the analyst and there is no mention or inkling that
>
> fragrouteis being used... So, it appears that fragroute becomes useful 
> again. 
>
>  
>
> Allen
>
>  
>
>  
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list