[Snort-devel] Randomness in Snort engine

Hyunseok hyunseok at ...1117...
Fri Sep 12 15:49:07 EDT 2014


Tom,

What you said is absolutely correct.  When I use -H flag, I no longer see
any variation.

Thanks much!

-HS



On Fri, Sep 12, 2014 at 11:17 AM, Tom Peters (thopeter) <thopeter at ...3461...>
wrote:

>  HS,
>
>  The -H flag suppresses this random behavior as well as random hashing.
> It is useful for regression testing. You might want to retry your
> experiment and see if the variation stops.
>
>  Tom
>
>
>   From: Thomas Peters <thopeter at ...3461...>
> Date: Friday, September 12, 2014 10:46 AM
> To: "hyunseok at ...1117..." <hyunseok at ...1117...>
>
> Cc: "snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net
> >
> Subject: Re: [Snort-devel] Randomness in Snort engine
>
>   HS,
>
>  I have no idea why the increment feature was added. Quite likely it was
> just a precaution.
>
>  Tom
>
>
>   From: Hyunseok <hyunseok at ...1117...>
> Reply-To: "hyunseok at ...1117..." <hyunseok at ...1117...>
> Date: Thursday, September 11, 2014 4:22 PM
> To: Thomas Peters <thopeter at ...3461...>
> Cc: "snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net
> >
> Subject: Re: [Snort-devel] Randomness in Snort engine
>
>   Tom,
>
>  Thanks.  It makes sense now.
>
> "prevent the seams between message pieces from falling in predictable
> places that might be exploited to hide something from detection."
>
> Is this a known attack?  If so, could you share more information about it
> (e.g., url)?
>
> Thanks again for taking the time to respond.
>
> Regards,
> -HS
>
>
> On Thu, Sep 11, 2014 at 4:16 PM, Tom Peters (thopeter) <thopeter at ...3461...
> > wrote:
>
>>  Hi,
>>
>>  *Are you saying that Snort assembles MTU-size tcpdump-captured packets
>> to construct a large HTTP message body, and then re-chops it into a
>> slightly varying number of "Packet"s which are then injected into
>> SnortHttpInspect(Packet *p)?*
>>
>>  Yes, that is the general idea. TCP reassembly converts the IP packets
>> into a stream of data. An entire large HTTP message body cannot be
>> reconstructed because it would occupy too much memory and be unwieldy to
>> process. Every 16384-ish octets the data stream is cut and the resulting
>> block is converted into a pseudo-packet and forwarded to HttpInspect for
>> processing. The "-ish" is the random increment.
>>
>>  Tom
>>
>>
>>   From: Hyunseok <hyunseok at ...1117...>
>> Reply-To: "hyunseok at ...1117..." <hyunseok at ...1117...>
>> Date: Thursday, September 11, 2014 2:47 PM
>> To: Thomas Peters <thopeter at ...3461...>
>> Cc: "snort-devel at lists.sourceforge.net" <
>> snort-devel at lists.sourceforge.net>
>> Subject: Re: [Snort-devel] Randomness in Snort engine
>>
>>     Thanks for your reply.
>>
>>  It's true that the "total packets processed" that I showed earlier
>> indeed pkt-count stats under "HTTP Inspect" section.
>>
>>  However, I am not sure if I fully understand the symptom.
>>
>>  I see that the packet counter is incremented in
>> SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p).
>>
>>  Are you saying that Snort assembles MTU-size tcpdump-captured packets to
>> construct a large HTTP message body, and then re-chops it into a slightly
>> varying number of "Packet"s which are then injected into
>> SnortHttpInspect(Packet *p)?
>>
>>  Sorry, I am new to Snort.
>>
>>  Regards,
>> -HS
>>
>>
>>
>> On Thu, Sep 11, 2014 at 2:14 PM, Tom Peters (thopeter) <
>> thopeter at ...3461...> wrote:
>>
>>>  Hi,
>>>
>>>  A possible explanation for your results.
>>>
>>>  Snort divides up very large protocol messages (e.g. HTTP message body)
>>> into pieces for processing. There is a small random increment added to the
>>> piece size that may vary between runs. It's purpose is to prevent the seams
>>> between message pieces from falling in predictable places that might be
>>> exploited to hide something from detection.
>>>
>>>  Over a very long run this jitter in the packet boundaries might add up
>>> to a slightly different number of packets.
>>>
>>>  Tom
>>>
>>>
>>>   From: Hyunseok <hyunseok at ...1117...>
>>> Reply-To: "hyunseok at ...1117..." <hyunseok at ...1117...>
>>> Date: Thursday, September 11, 2014 12:33 PM
>>> To: "snort-devel at lists.sourceforge.net" <
>>> snort-devel at lists.sourceforge.net>
>>> Subject: [Snort-devel] Randomness in Snort engine
>>>
>>>      Hi,
>>>
>>>  I have one question about Snort.
>>>
>>>  I was running Snort in offline mode by feeding a tcpdump packet trace
>>> to it.
>>>
>>>  I expected that Snort analysis result would be identical when I re-run
>>> Snort multiple times with the same packet trace.
>>>
>>>  However, I noticed that the the total packets processed is slightly
>>> different across different runs, which affects other analysis results.
>>>
>>> result.0:    Total packets processed:              230718
>>> result.1:    Total packets processed:              230720
>>> result.2:    Total packets processed:              230722
>>>  result.3:    Total packets processed:              230721
>>>
>>>  Do you guys have any idea where this slight randomness comes from in
>>> Snort?
>>>
>>>  I'm using the default snort configuration with default rule sets.
>>>
>>>  This question might be user-oriented, but I thought developers may
>>> have a better idea on the root cause.
>>>
>>>  Thanks,
>>>  -HS
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140912/83d9a9b8/attachment.html>


More information about the Snort-devel mailing list