[Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic

Steven Sturges steve.sturges at ...402...
Fri Aug 3 13:48:08 EDT 2007

Thanks for following up on this Benjamin!


Benjamin Small wrote:
> This is not a problem when using stream5 and snort 2.7.0 - Go team!
> Thanks,
> Benjamin
> On 6/29/07, Steven Sturges <steve.sturges at ...402...> wrote:
>> Hi Benjamin--
>> Thanks for the report.  We'll have a look into it.
>> Cheers.
>> -steve
>> Benjamin Small wrote:
>>> Hello,
>>> While working with Snort I noticed a situation where snort was
>>> inadvertently being evaded.
>>> I have narrowed the root cause down to the stream4 preprocessor. When
>>> reassembling both to_client
>>> and to_server streams, it appears that duplicating certain packets
>> causes
>>> snort to miss an attack.
>>> I demonstrate this in an attack where I attempt an /etc/passwd grab.
>>> None of
>>> the attacker's packets
>>> are duplicated, but I send three instances of the first response from
>> the
>>> server containing a payload
>>> (and only the first packet with payload seems to matter). Oddly enough,
>> if
>>> you read the pcap as a file
>>> "snort -r evaded.pcap", Snort fires. However, if snort is reading this
>>> traffic from an interface it misses
>>> the attack. To test this I used tcpreplay on a separate host.
>>> This becomes a potential problem in IDS setups where traffic is being
>>> SPAN'd
>>> to a monitoring interface
>>> more than once. Since this can potentially cause every attack against an
>>> application that utilizes TCP
>>> to be missed, I wanted to bring this to the community's attention. This
>> is
>>> more common in environments
>>> where complex SPAN sessions are used to relay data from multiple sources
>> to
>>> an IDS for monitoring.
>>> I am attaching a pcap and the configuration used in my test. Disabling
>> the
>>> stream4 preprocessor or
>>> setting the "noinspect" option prevents the IDS from missing the attack.
>>> The
>>> pcap contains a series of
>>> 12 unique packets. The 8th unique packet is replicated twice, resulting
>> in
>>> three instances of the initial
>>> response from the webserver after the attempted /etc/passwd grab. I only
>>> replicated this packet since
>>> after trying different variations of duplicating other packets, it
>> appears
>>> this packet was key for missing
>>> the attack. I have attached a spreadsheet containing data surrounding my
>>> tests. Each column contains
>>> the number of times each packet in the sequence was transmitted.
>>> Regards,
>>> Benjamin Small
>>> ------------------------------------------------------------------------
>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by DB2 Express
>>> Download DB2 Express C - the FREE version of DB2 express and take
>>> control of your XML. No limits. Just data. Click to get it now.
>>> http://sourceforge.net/powerbar/db2/
>>> ------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list