[Snort-devel] Config Stateful Issue

Joel Ebrahimi jebrahimi at ...2857...
Fri Feb 10 17:53:12 EST 2006


 
Well I think some it of is confusing due to the current bug and some of the documentation or lack of, but after re-reading everything and going through your emails I dont nesacarily think the 'config stateless' is a bad thing that should go away. 
 
In the case where a deployment is brought up you would have a number of mid-streams sessions and there is always the potential to drop a packet when Snort is running in a passive sniff mode. My interpretation had been 'config stateful' would have required the 3 way handshake but then that would make enforce_state redundant. And it also makes sense why Snort would alert on the previous pcap since there had been replies from a server.Maybe better documenatation explaining what set stateful is actaully looking for other than established connections would help.
 
Now if the Snort was running in inline mode than config stateful would not really make sense other than catching the initial mid-stream connections, but considering how you can never really can tell how someone could be deploying Snort from an inline sensor to a  underpowered sensor that cant keep up with the current traffic having the config stateful seems beneficial.
 
// Joel
 
 
 

 
________________________________

From: Steven Sturges [mailto:steve.sturges at ...402...]
Sent: Fri 2/10/2006 2:13 PM
To: Joel Ebrahimi
Cc: Eric Lauzon; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Config Stateful Issue



Joel, Eric, et al... 

The Stream4 code sometimes marks a session as established. 
This occurs when a session is picked up midstream and 
we've seen both sides of the connection.  We attempt to 
determine the correct TCP state on these sessions in the 
case of dropped packets -- or in your case, a PCAP that 
is deliberately missing the SYN/SYN-ACK.  See line 3200 
(or so) of spp_stream4.c. 

Turning on enforce_state in Stream4 config causes Stream4 
to only mark sessions as established when it sees the 
full 3WHS. 

config stateful really only makes sense in that context 
because the stream can be marked as established because 
of midstream pickups. 

I'm all in favor of removing config stateful entirely, 
because it has added all sorts of confusion with the 
addition of the enforce_state (a while ago, mind you) to 
Stream4. 

Any votes on the matter? 

Cheers. 
-steve 

Joel Ebrahimi wrote: 
> Eric, 
>  
> Wether Im sending the packets through tcpreplay or reading them in with 
> -r it does not make a difference, and it shouldnt. The only thing that 
> would happen by sending with tcpreplay is timestamps of the packets 
> would be changed. The issue here is Snort triggering on a stateless 
> session when config stateful is set. 
>  
> // Joel 
> 
> ------------------------------------------------------------------------ 
> *From:* Eric Lauzon [mailto:eric.lauzon at ...1967...] 
> *Sent:* Friday, February 10, 2006 10:10 AM 
> *To:* Joel Ebrahimi 
> *Subject:* RE: [Snort-devel] Config Stateful Issue 
> 
> Try to use the -r switch to read the pcap file and not use tcpreplay :) 
>  
> btw i figured out the session DoS issue you where trying to explain the 
> other time 
>  
>  
> 
>     ------------------------------------------------------------------------ 
>     *From:* snort-devel-admin at lists.sourceforge.net 
>     [mailto:snort-devel-admin at lists.sourceforge.net] *On Behalf Of *Joel 
>     Ebrahimi 
>     *Sent:* 10 février 2006 12:56 
>     *To:* snort-devel at lists.sourceforge.net 
>     *Subject:* [Snort-devel] Config Stateful Issue 
> 
>     In some recent talks in Snorts IRC and in relation to my last emails 
>     and testing I think the problem may not have been fully addressed. 
>      
>     The reason I have been using enforce_state with the stream4 
>     preprocessor is because Snort is alerting on packets without the 3 
>     way handshake even when I have config stateful set. 
>     I haven't tried this with snot or stick but I've been using the 2 
>     attached pcaps. One is with the syn syn/ack removed out of the 3 way 
>     handshake. 
>      
>     I have the option: config stateful (also tried with the -z flag and 
>     got same results) in my snort.conf and the below is the rule I am using. 
>      
>     alert tcp $EXTERNAL_NET ANY -> $HTTP_SERVERS $HTTP_PORTS ( msg: "Web 
>     CGI: Test-cgi attempt"; flow: to_server,established;  uricontent: 
>     "/test-cgi"; nocase; uricontent:  "*";   ) 
>      
>     I've been sending the packets with tcpreplay but this should have no 
>     impact since regardless there is no 3way handshake. Im not sure if 
>     its somethig particular with this pcap or is Snort now vulnerable 
>     to  snot type attacks . I've attached a simple snort-test.conf just 
>     so it can be verified that I have not made a mistake. 
>      
>     If I am correct then at this point I think Id highly recommend 
>     everyone using enforce_state in the stream4 preprocessor and maybe a 
>     run a second snort with a limited number of tcp stateless rules 
>     without the enforce_state, to ensure you have full coverage and to 
>     protect against DOS attacks. 
>      
>      
>     // Joel 
> 
>     -- 
>     No virus found in this outgoing message. 
>     Checked by AVG Free Edition. 
>     Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 
>     2/10/2006 
> 
> 
> AVERTISSEMENT CONCERNANT LA CONFIDENTIALITÉ 
> 
> Le présent message est à l'usage exclusif du ou des destinataires 
> mentionnés ci-dessus. Son contenu est confidentiel et peut être 
> assujetti au secret professionnel. Si vous avez reçu le présent message 
> par erreur, veuillez nous en aviser immédiatement et le détruire en vous 
> abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner 
> suite. 
> 
> CONFIDENTIALITY NOTICE 
> 
> This communication is intended for the exclusive use of the addressee 
> identified above. Its content is confidential and may contain privileged 
> information. If you have received this communication by error, please 
> notify the sender and delete the message without copying or disclosing it. 
> 
> 
> -- 
> No virus found in this incoming message. 
> Checked by AVG Free Edition. 
> Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006 
> 
> 
> -- 
> No virus found in this outgoing message. 
> Checked by AVG Free Edition. 
> Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006 
> 


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006
  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060210/0b632789/attachment.html>


More information about the Snort-devel mailing list