[Snort-devel] Config Stateful Issue

Eric Lauzon eric.lauzon at ...1967...
Fri Feb 10 14:30:07 EST 2006

> -----Original Message-----
> From: Steven Sturges [mailto:steve.sturges at ...402...] 
> Sent: 10 février 2006 17:13
> To: Joel Ebrahimi
> Cc: Eric Lauzon; snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] Config Stateful Issue
> Joel, Eric, et al...
> The Stream4 code sometimes marks a session as established.
> This occurs when a session is picked up midstream and we've 
> seen both sides of the connection.  We attempt to determine 
> the correct TCP state on these sessions in the case of 
> dropped packets -- or in your case, a PCAP that is 
> deliberately missing the SYN/SYN-ACK.  See line 3200 (or so) 
> of spp_stream4.c.
> Turning on enforce_state in Stream4 config causes Stream4 to 
> only mark sessions as established when it sees the full 3WHS.
> config stateful really only makes sense in that context 
> because the stream can be marked as established because of 
> midstream pickups.
> I'm all in favor of removing config stateful entirely, 
> because it has added all sorts of confusion with the addition 
> of the enforce_state (a while ago, mind you) to Stream4.
> Any votes on the matter?

Ok well i just want to make my statement to be seen as two things :

first the tcpreplay issue:
As of experience trying to get to replay attack scheme to develop
some signature a while ago (almost 2 year ago) i have ran in alot of issue
where tcpreplay was clearly replaying the packets but creating some bad checksum
that made snort automaticly drop the packets , droping checksum check made 
some of the replayed traffic ok but other traffic seemed mangled somehow , usualy
this happen when you take traffic from station X <-> Y and trying to make it look A <-> B,
going arround this issue personaly was to make snort directly read the pcap file and changing
my configuration over to matching source packet made it work.

So here i was suggesting off list Joel to try to use an other alternative to tcpreplay where i knew 
i ran into some problems in the past , this issue over i assume my presumption of the problem at first was wrong
suggesting the -z flag or config statefull equivalent in the snort.conf.

But has discussed offlist with steven and correct me if i am wrong , enabling stream4 enforce_state and state_protection
will enable some Session Object Possible denial of Service as of if you look at the code and no session is found for the corresponding
packet it will create a new session , enabling those two options will create a session only if it match a valid session Initialiser and
it will enable self preservation option enabled in stream4 , so personally i would say that i wouldn't see why it should be droped , i would
even suggest that the default behavior would be to enable those flag. 




Le présent message est à l'usage exclusif du ou des destinataires mentionnés ci-dessus. Son contenu est confidentiel et peut être assujetti au secret professionnel. Si vous avez reçu le présent message par erreur, veuillez nous en aviser immédiatement et le détruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.


This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.

More information about the Snort-devel mailing list