[Snort-devel] Randomness in Snort engine

Tom Peters (thopeter) thopeter at ...3461...
Thu Sep 11 16:16:33 EDT 2014


Hi,

Are you saying that Snort assembles MTU-size tcpdump-captured packets to construct a large HTTP message body, and then re-chops it into a slightly varying number of "Packet"s which are then injected into SnortHttpInspect(Packet *p)?

Yes, that is the general idea. TCP reassembly converts the IP packets into a stream of data. An entire large HTTP message body cannot be reconstructed because it would occupy too much memory and be unwieldy to process. Every 16384-ish octets the data stream is cut and the resulting block is converted into a pseudo-packet and forwarded to HttpInspect for processing. The "-ish" is the random increment.

Tom


From: Hyunseok <hyunseok at ...1117...<mailto:hyunseok at ...1117...>>
Reply-To: "hyunseok at ...1117...<mailto:hyunseok at ...1117...>" <hyunseok at ...3512...17...<mailto:hyunseok at ...1117...>>
Date: Thursday, September 11, 2014 2:47 PM
To: Thomas Peters <thopeter at ...3461...<mailto:thopeter at ...3461...>>
Cc: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: Re: [Snort-devel] Randomness in Snort engine

Thanks for your reply.

It's true that the "total packets processed" that I showed earlier indeed pkt-count stats under "HTTP Inspect" section.

However, I am not sure if I fully understand the symptom.

I see that the packet counter is incremented in SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p).

Are you saying that Snort assembles MTU-size tcpdump-captured packets to construct a large HTTP message body, and then re-chops it into a slightly varying number of "Packet"s which are then injected into SnortHttpInspect(Packet *p)?

Sorry, I am new to Snort.

Regards,
-HS



On Thu, Sep 11, 2014 at 2:14 PM, Tom Peters (thopeter) <thopeter at ...3461...<mailto:thopeter at ...3461...>> wrote:
Hi,

A possible explanation for your results.

Snort divides up very large protocol messages (e.g. HTTP message body) into pieces for processing. There is a small random increment added to the piece size that may vary between runs. It's purpose is to prevent the seams between message pieces from falling in predictable places that might be exploited to hide something from detection.

Over a very long run this jitter in the packet boundaries might add up to a slightly different number of packets.

Tom


From: Hyunseok <hyunseok at ...1117...<mailto:hyunseok at ...1117...>>
Reply-To: "hyunseok at ...1117...<mailto:hyunseok at ...1117...>" <hyunseok at ...3512...17...<mailto:hyunseok at ...1117...>>
Date: Thursday, September 11, 2014 12:33 PM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] Randomness in Snort engine

Hi,

I have one question about Snort.

I was running Snort in offline mode by feeding a tcpdump packet trace to it.

I expected that Snort analysis result would be identical when I re-run Snort multiple times with the same packet trace.

However, I noticed that the the total packets processed is slightly different across different runs, which affects other analysis results.

result.0:    Total packets processed:              230718
result.1:    Total packets processed:              230720
result.2:    Total packets processed:              230722
result.3:    Total packets processed:              230721

Do you guys have any idea where this slight randomness comes from in Snort?

I'm using the default snort configuration with default rule sets.

This question might be user-oriented, but I thought developers may have a better idea on the root cause.

Thanks,
-HS


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140911/3f2a6ca8/attachment.html>


More information about the Snort-devel mailing list