[Snort-devel] Randomness in Snort engine

Hyunseok hyunseok at ...1117...
Thu Sep 11 16:22:03 EDT 2014


Tom,

Thanks.  It makes sense now.

"prevent the seams between message pieces from falling in predictable
places that might be exploited to hide something from detection."

Is this a known attack?  If so, could you share more information about it
(e.g., url)?

Thanks again for taking the time to respond.

Regards,
-HS


On Thu, Sep 11, 2014 at 4:16 PM, Tom Peters (thopeter) <thopeter at ...3461...>
wrote:

>  Hi,
>
>  *Are you saying that Snort assembles MTU-size tcpdump-captured packets
> to construct a large HTTP message body, and then re-chops it into a
> slightly varying number of "Packet"s which are then injected into
> SnortHttpInspect(Packet *p)?*
>
>  Yes, that is the general idea. TCP reassembly converts the IP packets
> into a stream of data. An entire large HTTP message body cannot be
> reconstructed because it would occupy too much memory and be unwieldy to
> process. Every 16384-ish octets the data stream is cut and the resulting
> block is converted into a pseudo-packet and forwarded to HttpInspect for
> processing. The "-ish" is the random increment.
>
>  Tom
>
>
>   From: Hyunseok <hyunseok at ...1117...>
> Reply-To: "hyunseok at ...1117..." <hyunseok at ...1117...>
> Date: Thursday, September 11, 2014 2:47 PM
> To: Thomas Peters <thopeter at ...3461...>
> Cc: "snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net
> >
> Subject: Re: [Snort-devel] Randomness in Snort engine
>
>     Thanks for your reply.
>
>  It's true that the "total packets processed" that I showed earlier
> indeed pkt-count stats under "HTTP Inspect" section.
>
>  However, I am not sure if I fully understand the symptom.
>
>  I see that the packet counter is incremented in
> SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p).
>
>  Are you saying that Snort assembles MTU-size tcpdump-captured packets to
> construct a large HTTP message body, and then re-chops it into a slightly
> varying number of "Packet"s which are then injected into
> SnortHttpInspect(Packet *p)?
>
>  Sorry, I am new to Snort.
>
>  Regards,
> -HS
>
>
>
> On Thu, Sep 11, 2014 at 2:14 PM, Tom Peters (thopeter) <thopeter at ...3461...
> > wrote:
>
>>  Hi,
>>
>>  A possible explanation for your results.
>>
>>  Snort divides up very large protocol messages (e.g. HTTP message body)
>> into pieces for processing. There is a small random increment added to the
>> piece size that may vary between runs. It's purpose is to prevent the seams
>> between message pieces from falling in predictable places that might be
>> exploited to hide something from detection.
>>
>>  Over a very long run this jitter in the packet boundaries might add up
>> to a slightly different number of packets.
>>
>>  Tom
>>
>>
>>   From: Hyunseok <hyunseok at ...1117...>
>> Reply-To: "hyunseok at ...1117..." <hyunseok at ...1117...>
>> Date: Thursday, September 11, 2014 12:33 PM
>> To: "snort-devel at lists.sourceforge.net" <
>> snort-devel at lists.sourceforge.net>
>> Subject: [Snort-devel] Randomness in Snort engine
>>
>>      Hi,
>>
>>  I have one question about Snort.
>>
>>  I was running Snort in offline mode by feeding a tcpdump packet trace to
>> it.
>>
>>  I expected that Snort analysis result would be identical when I re-run
>> Snort multiple times with the same packet trace.
>>
>>  However, I noticed that the the total packets processed is slightly
>> different across different runs, which affects other analysis results.
>>
>> result.0:    Total packets processed:              230718
>> result.1:    Total packets processed:              230720
>> result.2:    Total packets processed:              230722
>>  result.3:    Total packets processed:              230721
>>
>>  Do you guys have any idea where this slight randomness comes from in
>> Snort?
>>
>>  I'm using the default snort configuration with default rule sets.
>>
>>  This question might be user-oriented, but I thought developers may have
>> a better idea on the root cause.
>>
>>  Thanks,
>>  -HS
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140911/ab4f05eb/attachment.html>


More information about the Snort-devel mailing list