[Snort-devel] stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin

Bram bram-fabeg at ...3414...
Tue Aug 20 03:43:56 EDT 2013


Hi,


Was this message taken into consideration? (I received no reply on it?)

Even if the code is left unchanged it seems appropriate to mention  
this in the documentation of the '129-14' rule.. (speaking of which:  
it seems documentation for '129:14' is missing?)


Best regards,

Bram

Quoting Bram <bram-fabeg at ...3414...>:

> Hi,
>
>
> The TCP implementation on *BSD (and by extension on Darwin) appears  
> to  contain a bug:
> When the TCP session is idle then it sends a 'TCP Keep-Alive' packet  
>  to determine if the connection still exists.
> This is expected.
>
> However: the 'TCP Keep-Alive' packet does not have the timestamp  
> options set..
> This causes snort to generate the alert 'STREAM5_NO_TIMESTAMP'.
>
> While the event is correct it is a bit undesirable since this makes  
> it  difficult to see unexplained anomalies/actual 'problems.
>
> Attached is a patch which detects the 'TCP KeepAlive' packets send  
> by  BSD/Darwin and prevents the alert from being generated.
> I'm not sure if the 'TCP KeepAlive' packet should be ignored by   
> default.. perhaps it's better to add a config options for it?
>
> Also: when *BSD/Darwin sends an ack on a 'TCP Keep-Alive' packet  
> then  it does appear to include the timestamp.
>
> (This was detected due to a PPTP client being connected from a Mac -  
>  tcp idle -> keep alives send)
>
>
> Attached are four dumps:
> * keepalive.pcap: connection between NetBSD and Linux (NetBSD  
> sending  Keep-Alive)
> * keepalive2.pcap: connection between NetBSD and NetBSD
> * keepalive4.pcap: connection between Linux and NetBSD host (Linux   
> sending Keep-Alive)
> * no_timestamp.pcap: tcp session created using raw sockets
>
>
>
> Configuration file used:
>        config checksum_mode: all
>        dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
>        preprocessor stream5_global: track_tcp yes, \
>           track_udp no, \
>           track_icmp no, \
>           max_tcp 262144, \
>           max_udp 131072
>        preprocessor stream5_tcp: policy windows, detect_anomalies
>
>        alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev:  
> 1;  metadata: rule-type preproc ; )
>
>        output alert_fast: stdout
>
> Output:
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/keepalive.pcap 2>&1 | grep '129:'
>        07/22-14:16:03.787282  [**] [129:14:1] TCP Timestamp is  
> missing [**]  [Priority: 0] {TCP} 192.168.173.51:52185 ->  
> 192.168.173.50:6666
>        07/22-14:16:13.787173  [**] [129:14:1] TCP Timestamp is  
> missing [**]  [Priority: 0] {TCP} 192.168.173.51:52185 ->  
> 192.168.173.50:6666
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
>        07/22-14:18:45.965624  [**] [129:14:1] TCP Timestamp is  
> missing [**]  [Priority: 0] {TCP} 192.168.173.51:52179 ->  
> 192.168.173.51:6666
>        07/22-14:18:55.965523  [**] [129:14:1] TCP Timestamp is  
> missing [**]  [Priority: 0] {TCP} 192.168.173.51:52179 ->  
> 192.168.173.51:6666
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
>        08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is  
> missing [**]  [Priority: 0] {TCP} 192.168.173.1:6000 ->  
> 192.168.173.153:33705
>
>
>
> Output with patched version:
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/keepalive.pcap 2>&1 | grep '129:'
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'
>
>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
> /lib/daq/ -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
>        08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is  
> missing [**]  [Priority: 0] {TCP} 192.168.173.1:6000 ->  
> 192.168.173.153:33705
>
>
> => No alert on TCP Keep-Alive from BSD/Darwin.
>
>
>
> Best regards,
>
> Bram
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list