[Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic

Benjamin Small benjamin.small83 at ...2499...
Fri Aug 3 11:45:28 EDT 2007


This is not a problem when using stream5 and snort 2.7.0 - Go team!

Thanks,
Benjamin

On 6/29/07, Steven Sturges <steve.sturges at ...402...> wrote:
>
> Hi Benjamin--
>
> Thanks for the report.  We'll have a look into it.
>
> Cheers.
> -steve
>
> Benjamin Small wrote:
> > Hello,
> >
> > While working with Snort 2.6.1.5 I noticed a situation where snort was
> > inadvertently being evaded.
> > I have narrowed the root cause down to the stream4 preprocessor. When
> > reassembling both to_client
> > and to_server streams, it appears that duplicating certain packets
> causes
> > snort to miss an attack.
> > I demonstrate this in an attack where I attempt an /etc/passwd grab.
> > None of
> > the attacker's packets
> > are duplicated, but I send three instances of the first response from
> the
> > server containing a payload
> > (and only the first packet with payload seems to matter). Oddly enough,
> if
> > you read the pcap as a file
> > "snort -r evaded.pcap", Snort fires. However, if snort is reading this
> > traffic from an interface it misses
> > the attack. To test this I used tcpreplay on a separate host.
> >
> > This becomes a potential problem in IDS setups where traffic is being
> > SPAN'd
> > to a monitoring interface
> > more than once. Since this can potentially cause every attack against an
> > application that utilizes TCP
> > to be missed, I wanted to bring this to the community's attention. This
> is
> > more common in environments
> > where complex SPAN sessions are used to relay data from multiple sources
> to
> > an IDS for monitoring.
> >
> > I am attaching a pcap and the configuration used in my test. Disabling
> the
> > stream4 preprocessor or
> > setting the "noinspect" option prevents the IDS from missing the attack.
> > The
> > pcap contains a series of
> > 12 unique packets. The 8th unique packet is replicated twice, resulting
> in
> > three instances of the initial
> > response from the webserver after the attempted /etc/passwd grab. I only
> > replicated this packet since
> > after trying different variations of duplicating other packets, it
> appears
> > this packet was key for missing
> > the attack. I have attached a spreadsheet containing data surrounding my
> > tests. Each column contains
> > the number of times each packet in the sequence was transmitted.
> >
> > Regards,
> > Benjamin Small
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070803/2ea2becb/attachment.html>


More information about the Snort-devel mailing list