[Snort-devel] stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin

Russ Combs rcombs at ...402...
Tue Aug 20 10:07:17 EDT 2013


My bad - this is a different thread with "and by extension on Darwin".

Somehow the original message fell through the cracks.  I'll investigate.

Thanks for the bump.

Russ

On Tue, Aug 20, 2013 at 8:35 AM, Russ Combs <rcombs at ...402...> wrote:

>
>
> On Tue, Aug 20, 2013 at 3:43 AM, Bram <bram-fabeg at ...3414...> wrote:
>
>> Hi,
>>
>>
>> Was this message taken into consideration? (I received no reply on it?)
>>
>
> I just now got and responded to the original.  Haven't seen it before.
>
>>
>> Even if the code is left unchanged it seems appropriate to mention this
>> in the documentation of the '129-14' rule.. (speaking of which: it seems
>> documentation for '129:14' is missing?)
>>
>>
>> Best regards,
>>
>> Bram
>>
>>
>> Quoting Bram <bram-fabeg at ...3414...>:
>>
>>  Hi,
>>>
>>>
>>> The TCP implementation on *BSD (and by extension on Darwin) appears to
>>>  contain a bug:
>>> When the TCP session is idle then it sends a 'TCP Keep-Alive' packet  to
>>> determine if the connection still exists.
>>> This is expected.
>>>
>>> However: the 'TCP Keep-Alive' packet does not have the timestamp options
>>> set..
>>> This causes snort to generate the alert 'STREAM5_NO_TIMESTAMP'.
>>>
>>> While the event is correct it is a bit undesirable since this makes it
>>>  difficult to see unexplained anomalies/actual 'problems.
>>>
>>> Attached is a patch which detects the 'TCP KeepAlive' packets send by
>>>  BSD/Darwin and prevents the alert from being generated.
>>> I'm not sure if the 'TCP KeepAlive' packet should be ignored by
>>>  default.. perhaps it's better to add a config options for it?
>>>
>>> Also: when *BSD/Darwin sends an ack on a 'TCP Keep-Alive' packet then
>>>  it does appear to include the timestamp.
>>>
>>> (This was detected due to a PPTP client being connected from a Mac -
>>>  tcp idle -> keep alives send)
>>>
>>>
>>> Attached are four dumps:
>>> * keepalive.pcap: connection between NetBSD and Linux (NetBSD sending
>>>  Keep-Alive)
>>> * keepalive2.pcap: connection between NetBSD and NetBSD
>>> * keepalive4.pcap: connection between Linux and NetBSD host (Linux
>>>  sending Keep-Alive)
>>> * no_timestamp.pcap: tcp session created using raw sockets
>>>
>>>
>>>
>>> Configuration file used:
>>>        config checksum_mode: all
>>>        dynamicpreprocessor directory /usr/lib/snort_**
>>> dynamicpreprocessor/
>>>        preprocessor stream5_global: track_tcp yes, \
>>>           track_udp no, \
>>>           track_icmp no, \
>>>           max_tcp 262144, \
>>>           max_udp 131072
>>>        preprocessor stream5_tcp: policy windows, detect_anomalies
>>>
>>>        alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1;
>>>  metadata: rule-type preproc ; )
>>>
>>>        output alert_fast: stdout
>>>
>>> Output:
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/keepalive.pcap 2>&1 | grep '129:'
>>>        07/22-14:16:03.787282  [**] [129:14:1] TCP Timestamp is missing
>>> [**]  [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666
>>>        07/22-14:16:13.787173  [**] [129:14:1] TCP Timestamp is missing
>>> [**]  [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
>>>        07/22-14:18:45.965624  [**] [129:14:1] TCP Timestamp is missing
>>> [**]  [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666
>>>        07/22-14:18:55.965523  [**] [129:14:1] TCP Timestamp is missing
>>> [**]  [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
>>>        08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing
>>> [**]  [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705
>>>
>>>
>>>
>>> Output with patched version:
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/keepalive.pcap 2>&1 | grep '129:'
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'
>>>
>>>        $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
>>> -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
>>>        08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing
>>> [**]  [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705
>>>
>>>
>>> => No alert on TCP Keep-Alive from BSD/Darwin.
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Bram
>>>
>>>
>>
>>
>> ------------------------------**------------------------------**----
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130820/aa0d7583/attachment.html>


More information about the Snort-devel mailing list