[Snort-devel] stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin

Bram bram-fabeg at ...3414...
Thu Aug 1 10:42:27 EDT 2013


Hi,


The TCP implementation on *BSD (and by extension on Darwin) appears to  
contain a bug:
When the TCP session is idle then it sends a 'TCP Keep-Alive' packet  
to determine if the connection still exists.
This is expected.

However: the 'TCP Keep-Alive' packet does not have the timestamp options set..
This causes snort to generate the alert 'STREAM5_NO_TIMESTAMP'.

While the event is correct it is a bit undesirable since this makes it  
difficult to see unexplained anomalies/actual 'problems.

Attached is a patch which detects the 'TCP KeepAlive' packets send by  
BSD/Darwin and prevents the alert from being generated.
I'm not sure if the 'TCP KeepAlive' packet should be ignored by  
default.. perhaps it's better to add a config options for it?

Also: when *BSD/Darwin sends an ack on a 'TCP Keep-Alive' packet then  
it does appear to include the timestamp.

(This was detected due to a PPTP client being connected from a Mac -  
tcp idle -> keep alives send)


Attached are four dumps:
* keepalive.pcap: connection between NetBSD and Linux (NetBSD sending  
Keep-Alive)
* keepalive2.pcap: connection between NetBSD and NetBSD
* keepalive4.pcap: connection between Linux and NetBSD host (Linux  
sending Keep-Alive)
* no_timestamp.pcap: tcp session created using raw sockets



Configuration file used:
	config checksum_mode: all
	dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
	preprocessor stream5_global: track_tcp yes, \
	   track_udp no, \
	   track_icmp no, \
	   max_tcp 262144, \
	   max_udp 131072
	preprocessor stream5_tcp: policy windows, detect_anomalies

	alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1;  
metadata: rule-type preproc ; )

	output alert_fast: stdout

Output:
	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/keepalive.pcap 2>&1 | grep '129:'
	07/22-14:16:03.787282  [**] [129:14:1] TCP Timestamp is missing [**]  
[Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666
	07/22-14:16:13.787173  [**] [129:14:1] TCP Timestamp is missing [**]  
[Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/keepalive2.pcap 2>&1 | grep '129:'
	07/22-14:18:45.965624  [**] [129:14:1] TCP Timestamp is missing [**]  
[Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666
	07/22-14:18:55.965523  [**] [129:14:1] TCP Timestamp is missing [**]  
[Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/keepalive3.pcap 2>&1 | grep '129:'

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/no_timestamp.pcap 2>&1 | grep '129:'
	08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing [**]  
[Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705



Output with patched version:
	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/keepalive.pcap 2>&1 | grep '129:'

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/keepalive2.pcap 2>&1 | grep '129:'

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/keepalive3.pcap 2>&1 | grep '129:'

	$ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r  
/tmp/no_timestamp.pcap 2>&1 | grep '129:'
	08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing [**]  
[Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705


=> No alert on TCP Keep-Alive from BSD/Darwin.



Best regards,

Bram

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: keepalive.pcap
Type: application/octet-stream
Size: 1084 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130801/49e0f952/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keepalive2.pcap
Type: application/octet-stream
Size: 1118 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130801/49e0f952/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keepalive3.pcap
Type: application/octet-stream
Size: 962 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130801/49e0f952/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no_timestamp.pcap
Type: application/octet-stream
Size: 1389 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130801/49e0f952/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-2.9.5-tcp-keepalive.patch
Type: application/aegis-patch
Size: 1967 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130801/49e0f952/attachment.bin>


More information about the Snort-devel mailing list