[Snort-devel] Config Stateful Issue

Joel Ebrahimi jebrahimi at ...2857...
Fri Feb 10 09:50:01 EST 2006

In some recent talks in Snorts IRC and in relation to my last emails and testing I think the problem may not have been fully addressed.
The reason I have been using enforce_state with the stream4 preprocessor is because Snort is alerting on packets without the 3 way handshake even when I have config stateful set.
I haven't tried this with snot or stick but I've been using the 2 attached pcaps. One is with the syn syn/ack removed out of the 3 way handshake.
I have the option: config stateful (also tried with the -z flag and got same results) in my snort.conf and the below is the rule I am using.
alert tcp $EXTERNAL_NET ANY -> $HTTP_SERVERS $HTTP_PORTS ( msg: "Web CGI: Test-cgi attempt"; flow: to_server,established;  uricontent:  "/test-cgi"; nocase; uricontent:  "*";   )
I've been sending the packets with tcpreplay but this should have no impact since regardless there is no 3way handshake. Im not sure if its somethig particular with this pcap or is Snort now vulnerable to  snot type attacks . I've attached a simple snort-test.conf just so it can be verified that I have not made a mistake.
If I am correct then at this point I think Id highly recommend everyone using enforce_state in the stream4 preprocessor and maybe a run a second snort with a limited number of tcp stateless rules without the enforce_state, to ensure you have full coverage and to protect against DOS attacks.
// Joel

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060210/43f257a6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-cgi.pcap
Type: application/octet-stream
Size: 1309 bytes
Desc: test-cgi.pcap
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060210/43f257a6/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-cgi-no3way.pcap
Type: application/octet-stream
Size: 1125 bytes
Desc: test-cgi-no3way.pcap
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060210/43f257a6/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-test.conf
Type: application/octet-stream
Size: 512 bytes
Desc: snort-test.conf
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060210/43f257a6/attachment-0002.obj>

More information about the Snort-devel mailing list