[Snort-devel] Snort Detection (Stream4 and Flow)

Joel Ebrahimi jebrahimi at ...2857...
Tue Feb 7 11:02:05 EST 2006

I've been trying to research some of the stream4 preprocessor and rule options. Basically I  noticed a number of scan rules were not triggering and I looked into it further. For example here is a simplified NULL scan rule  :
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL no seq"; flow:stateless; ack:0; flags:0; reference:arachnids,4; classtype:attempted-recon; )
This was not triggering when I was running 'nmap -sN' , even though I could see on the wire it should be. I then removed the enforce_state from the stream4 preprocessor and the rule fired off just like it should. Now my part of my confusion comes from the current docs. Here is what is said about flow: stateless
'stateless	 Trigger regardless of the state of the stream processor (useful for packets that are designed to cause machines to crash)'
So to me it would seem that even if enforce_state is set in stream4 these rules should trigger. If that is not the case what is the point of even adding flow: stateless to a rule?
I traced what was happening through the code (I am not a Snort detection expert so forgive any misconceptions I have). So in the Preprocess function do_detect will be set in this loop to 0 in this case
while(idx != NULL)
         assert(idx->func != NULL);
         idx->func(p, idx->context);
         idx = idx->next;
when it is evaluating the stream4 preprocessor settings and goes into ReassembleStream4 function in spp_stream4.c . In ReassembleStream4 (around line 2100), this would be what is setting do_detect to 0 here 
             if((p->tcph->th_flags & (TH_SYN|TH_RST)) != TH_SYN)
                 do_detect = 0;
                 p->preprocessors = 0;
So really what this means is every single TCP rule will need to have flow with it in order to enforce state and prevent stick/snot attacks and to also be able to detect stateless scan attacks at the same time . Which seems to go against what the original design of stream4 was about, explained here: HYPERLINK "http://www.snort.org/docs/faq.html#3.14"http://www.snort.org/docs/faq.html#3.14
Like I said I'm no detection expert, but I was also curious if do_detect that can be set to 0 depending on criteria in the loop from the Preprocess function above, can then be set back to 1. If not it would seem like you could gain some valuable cpu cycles by changing
while(idx != NULL)
while(idx != NULL && do_detect != 0)
// Joel
Joel Ebrahimi
HYPERLINK "mailto:jebrahimi at ...2857..."jebrahimi at ...2857...

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060207/f9a122de/attachment.html>

More information about the Snort-devel mailing list