[Snort-devel] stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin

Russ Combs rcombs at ...402...
Tue Aug 20 08:35:33 EDT 2013


On Tue, Aug 20, 2013 at 3:43 AM, Bram <bram-fabeg at ...3414...> wrote:

> Hi,
>
>
> Was this message taken into consideration? (I received no reply on it?)
>

I just now got and responded to the original.  Haven't seen it before.

>
> Even if the code is left unchanged it seems appropriate to mention this in
> the documentation of the '129-14' rule.. (speaking of which: it seems
> documentation for '129:14' is missing?)
>
>
> Best regards,
>
> Bram
>
>
> Quoting Bram <bram-fabeg at ...3414...>:
>
>  Hi,
>>
>>
>> The TCP implementation on *BSD (and by extension on Darwin) appears to
>>  contain a bug:
>> When the TCP session is idle then it sends a 'TCP Keep-Alive' packet  to
>> determine if the connection still exists.
>> This is expected.
>>
>> However: the 'TCP Keep-Alive' packet does not have the timestamp options
>> set..
>> This causes snort to generate the alert 'STREAM5_NO_TIMESTAMP'.
>>
>> While the event is correct it is a bit undesirable since this makes it
>>  difficult to see unexplained anomalies/actual 'problems.
>>
>> Attached is a patch which detects the 'TCP KeepAlive' packets send by
>>  BSD/Darwin and prevents the alert from being generated.
>> I'm not sure if the 'TCP KeepAlive' packet should be ignored by
>>  default.. perhaps it's better to add a config options for it?
>>
>> Also: when *BSD/Darwin sends an ack on a 'TCP Keep-Alive' packet then  it
>> does appear to include the timestamp.
>>
>> (This was detected due to a PPTP client being connected from a Mac -  tcp
>> idle -> keep alives send)
>>
>>
>> Attached are four dumps:
>> * keepalive.pcap: connection between NetBSD and Linux (NetBSD sending
>>  Keep-Alive)
>> * keepalive2.pcap: connection between NetBSD and NetBSD
>> * keepalive4.pcap: connection between Linux and NetBSD host (Linux
>>  sending Keep-Alive)
>> * no_timestamp.pcap: tcp session created using raw sockets
>>
>>
>>
>> Configuration file used:
>>        config checksum_mode: all
>>        dynamicpreprocessor directory /usr/lib/snort_**
>> dynamicpreprocessor/
>>        preprocessor stream5_global: track_tcp yes, \
>>           track_udp no, \
>>           track_icmp no, \
>>           max_tcp 262144, \
>>           max_udp 131072
>>        preprocessor stream5_tcp: policy windows, detect_anomalies
>>
>>        alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1;
>>  metadata: rule-type preproc ; )
>>
>>        output alert_fast: stdout
>>
>> Output:
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/keepalive.pcap 2>&1 | grep '129:'
>>        07/22-14:16:03.787282  [**] [129:14:1] TCP Timestamp is missing
>> [**]  [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666
>>        07/22-14:16:13.787173  [**] [129:14:1] TCP Timestamp is missing
>> [**]  [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
>>        07/22-14:18:45.965624  [**] [129:14:1] TCP Timestamp is missing
>> [**]  [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666
>>        07/22-14:18:55.965523  [**] [129:14:1] TCP Timestamp is missing
>> [**]  [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
>>        08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing
>> [**]  [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705
>>
>>
>>
>> Output with patched version:
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/keepalive.pcap 2>&1 | grep '129:'
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'
>>
>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>> -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
>>        08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing
>> [**]  [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705
>>
>>
>> => No alert on TCP Keep-Alive from BSD/Darwin.
>>
>>
>>
>> Best regards,
>>
>> Bram
>>
>>
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130820/88bfb32d/attachment.html>


More information about the Snort-devel mailing list