[Snort-devel] Config Stateful Issue

Steven Sturges steve.sturges at ...402...
Fri Feb 10 14:17:01 EST 2006

Joel, Eric, et al...

The Stream4 code sometimes marks a session as established.
This occurs when a session is picked up midstream and
we've seen both sides of the connection.  We attempt to
determine the correct TCP state on these sessions in the
case of dropped packets -- or in your case, a PCAP that
is deliberately missing the SYN/SYN-ACK.  See line 3200
(or so) of spp_stream4.c.

Turning on enforce_state in Stream4 config causes Stream4
to only mark sessions as established when it sees the
full 3WHS.

config stateful really only makes sense in that context
because the stream can be marked as established because
of midstream pickups.

I'm all in favor of removing config stateful entirely,
because it has added all sorts of confusion with the
addition of the enforce_state (a while ago, mind you) to

Any votes on the matter?


Joel Ebrahimi wrote:
> Eric,
> Wether Im sending the packets through tcpreplay or reading them in with 
> -r it does not make a difference, and it shouldnt. The only thing that 
> would happen by sending with tcpreplay is timestamps of the packets 
> would be changed. The issue here is Snort triggering on a stateless 
> session when config stateful is set.
> // Joel
> ------------------------------------------------------------------------
> *From:* Eric Lauzon [mailto:eric.lauzon at ...1967...]
> *Sent:* Friday, February 10, 2006 10:10 AM
> *To:* Joel Ebrahimi
> *Subject:* RE: [Snort-devel] Config Stateful Issue
> Try to use the -r switch to read the pcap file and not use tcpreplay :)
> btw i figured out the session DoS issue you where trying to explain the 
> other time
>     ------------------------------------------------------------------------
>     *From:* snort-devel-admin at lists.sourceforge.net
>     [mailto:snort-devel-admin at lists.sourceforge.net] *On Behalf Of *Joel
>     Ebrahimi
>     *Sent:* 10 février 2006 12:56
>     *To:* snort-devel at lists.sourceforge.net
>     *Subject:* [Snort-devel] Config Stateful Issue
>     In some recent talks in Snorts IRC and in relation to my last emails
>     and testing I think the problem may not have been fully addressed.
>     The reason I have been using enforce_state with the stream4
>     preprocessor is because Snort is alerting on packets without the 3
>     way handshake even when I have config stateful set.
>     I haven't tried this with snot or stick but I've been using the 2
>     attached pcaps. One is with the syn syn/ack removed out of the 3 way
>     handshake.
>     I have the option: config stateful (also tried with the -z flag and
>     got same results) in my snort.conf and the below is the rule I am using.
>     alert tcp $EXTERNAL_NET ANY -> $HTTP_SERVERS $HTTP_PORTS ( msg: "Web
>     CGI: Test-cgi attempt"; flow: to_server,established;  uricontent: 
>     "/test-cgi"; nocase; uricontent:  "*";   )
>     I've been sending the packets with tcpreplay but this should have no
>     impact since regardless there is no 3way handshake. Im not sure if
>     its somethig particular with this pcap or is Snort now vulnerable
>     to  snot type attacks . I've attached a simple snort-test.conf just
>     so it can be verified that I have not made a mistake.
>     If I am correct then at this point I think Id highly recommend
>     everyone using enforce_state in the stream4 preprocessor and maybe a
>     run a second snort with a limited number of tcp stateless rules
>     without the enforce_state, to ensure you have full coverage and to
>     protect against DOS attacks.
>     // Joel
>     --
>     No virus found in this outgoing message.
>     Checked by AVG Free Edition.
>     Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date:
>     2/10/2006
> Le présent message est à l'usage exclusif du ou des destinataires 
> mentionnés ci-dessus. Son contenu est confidentiel et peut être 
> assujetti au secret professionnel. Si vous avez reçu le présent message 
> par erreur, veuillez nous en aviser immédiatement et le détruire en vous 
> abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner 
> suite.
> This communication is intended for the exclusive use of the addressee 
> identified above. Its content is confidential and may contain privileged 
> information. If you have received this communication by error, please 
> notify the sender and delete the message without copying or disclosing it.
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006

More information about the Snort-devel mailing list