[Snort-devel] Evasion Due to Multiple Instances of SPAN Traffic

Steven Sturges steve.sturges at ...402...
Fri Jun 29 14:41:50 EDT 2007

Hi Benjamin--

Thanks for the report.  We'll have a look into it.


Benjamin Small wrote:
> Hello,
> While working with Snort I noticed a situation where snort was
> inadvertently being evaded.
> I have narrowed the root cause down to the stream4 preprocessor. When
> reassembling both to_client
> and to_server streams, it appears that duplicating certain packets causes
> snort to miss an attack.
> I demonstrate this in an attack where I attempt an /etc/passwd grab.
> None of
> the attacker's packets
> are duplicated, but I send three instances of the first response from the
> server containing a payload
> (and only the first packet with payload seems to matter). Oddly enough, if
> you read the pcap as a file
> "snort -r evaded.pcap", Snort fires. However, if snort is reading this
> traffic from an interface it misses
> the attack. To test this I used tcpreplay on a separate host.
> This becomes a potential problem in IDS setups where traffic is being
> SPAN'd
> to a monitoring interface
> more than once. Since this can potentially cause every attack against an
> application that utilizes TCP
> to be missed, I wanted to bring this to the community's attention. This is
> more common in environments
> where complex SPAN sessions are used to relay data from multiple sources to
> an IDS for monitoring.
> I am attaching a pcap and the configuration used in my test. Disabling the
> stream4 preprocessor or
> setting the "noinspect" option prevents the IDS from missing the attack.
> The
> pcap contains a series of
> 12 unique packets. The 8th unique packet is replicated twice, resulting in
> three instances of the initial
> response from the webserver after the attempted /etc/passwd grab. I only
> replicated this packet since
> after trying different variations of duplicating other packets, it appears
> this packet was key for missing
> the attack. I have attached a spreadsheet containing data surrounding my
> tests. Each column contains
> the number of times each packet in the sequence was transmitted.
> Regards,
> Benjamin Small
> ------------------------------------------------------------------------
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list