[Snort-devel] Config Stateful Issue

Joel Ebrahimi jebrahimi at ...2857...
Fri Feb 10 10:21:00 EST 2006


Eric,
 
Wether Im sending the packets through tcpreplay or reading them in with -r it does not make a difference, and it shouldnt. The only thing that would happen by sending with tcpreplay is timestamps of the packets would be changed. The issue here is Snort triggering on a stateless session when config stateful is set. 
 
// Joel

   _____  

From: Eric Lauzon [mailto:eric.lauzon at ...1967...] 
Sent: Friday, February 10, 2006 10:10 AM
To: Joel Ebrahimi
Subject: RE: [Snort-devel] Config Stateful Issue


Try to use the -r switch to read the pcap file and not use tcpreplay :)
 
btw i figured out the session DoS issue you where trying to explain the other time
 
 


   _____  

From: snort-devel-admin at lists.sourceforge.net [mailto:snort-devel-admin at ...2431...ts.sourceforge.net] On Behalf Of Joel Ebrahimi
Sent: 10 février 2006 12:56
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] Config Stateful Issue


In some recent talks in Snorts IRC and in relation to my last emails and testing I think the problem may not have been fully addressed.
 
The reason I have been using enforce_state with the stream4 preprocessor is because Snort is alerting on packets without the 3 way handshake even when I have config stateful set.
I haven't tried this with snot or stick but I've been using the 2 attached pcaps. One is with the syn syn/ack removed out of the 3 way handshake.
 
I have the option: config stateful (also tried with the -z flag and got same results) in my snort.conf and the below is the rule I am using.
 
alert tcp $EXTERNAL_NET ANY -> $HTTP_SERVERS $HTTP_PORTS ( msg: "Web CGI: Test-cgi attempt"; flow: to_server,established;  uricontent:  "/test-cgi"; nocase; uricontent:  "*";   )
 
I've been sending the packets with tcpreplay but this should have no impact since regardless there is no 3way handshake. Im not sure if its somethig particular with this pcap or is Snort now vulnerable to  snot type attacks . I've attached a simple snort-test.conf just so it can be verified that I have not made a mistake.
 
If I am correct then at this point I think Id highly recommend everyone using enforce_state in the stream4 preprocessor and maybe a run a second snort with a limited number of tcp stateless rules without the enforce_state, to ensure you have full coverage and to protect against DOS attacks.
 
 
// Joel


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006





AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ 

Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.

CONFIDENTIALITY NOTICE

This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060210/7139cf82/attachment.html>


More information about the Snort-devel mailing list