[Snort-devel] Rules using segment keywords shouldn't be applied to reassembled streams

Russ rucombs at ...3461...
Wed Nov 4 10:31:03 EST 2015


Good points Mike.  Snort++ is moving in this direction.  If you don't 
load legacy rules, tcp rules are applied to raw tcp segments only.  It 
is still possible to write "broken rules" though, such as alert http 
with seq.  These will become errors at some point.

In Snort, ack and window are set for reassembled packets based on the 
actual values in the segments reassembled.  In general, they won't be 
zero, but those are valid values.  In Snort++, reassembled packets are 
just reassembled buffers associated with a flow so none of these apply.

dsize should generally not be used for raw segments or reassembled PDUs 
but a case can be made for each.  It is potentially more reliable with 
PDUs since the arbitrary segmentation has been eliminated.

On 11/4/15 8:15 AM, Mike Cox wrote:
> I propose that rules using the "ack", "seq", and "window" keywords not 
> be applied against reassembled streams. Since these values only apply 
> to TCP segments, it only makes sense to evaluate them in that context 
> only.  In fact, not doing so can create non-trivial false positives, 
> especially in cases where the sensor only sees one side of the traffic 
> (simplex) due to routing, switching, or other myriad setups that exist 
> in production networks more than you think.
>
> I have attached an example pcap.  If you run it thru Snort with the 
> follwing rule, you will see an alert when you should not. You will 
> want to configure the normalize preprocessor such that Snort's 
> flushing policy is Footprint-IPS (or Protocol-IPS should work too I 
> think).
>
> alert tcp any any -> any any (msg:"ACK with zero value found"; 
> flow:established,to_server; ack:0; sid:12349999;)
>
> The streams preprocessor ends up setting the ACK value on the 
> reassembled ("pseudo" or "stream") packet to zero which causes a false 
> positive alert.  Here is the stream packet with PAF enabled (you can 
> run it without PAF enabled and get multiple hits).  You can see that 
> the "Ack" and "Win" values are "0x0" even though this is not the case 
> for any of the actual segements in the pcap:
>
> +++++++++++++++++++Stream Packet+++++++++++++++++++++
> 01/30-13:56:04.466490 192.168.97.167:46553 
> <http://192.168.97.167:46553> -> 208.68.163.218:80 
> <http://208.68.163.218:80>
> TCP TTL:64 TOS:0x0 ID:62087 IpLen:20 DgmLen:1807 DF
> ***AP*** Seq: 0x46F99B48 Ack: 0x0  Win: 0x0 TcpLen: 32
> 0x0000: 00 0E B6 29 18 89 00 90 F5 AA 83 DA 08 00 45 00 ...)..........E.
> 0x0010: 07 0F F2 87 40 00 40 06 B1 4C C0 A8 61 A7 D0 44 .... at ...300...@..L..a..D
> 0x0020: A3 DA B5 D9 00 50 46 F9 9B 48 00 00 00 00 80 18 .....PF..H......
> 0x0030: 00 00 FC B0 00 00 01 01 08 0A 29 07 69 E1 CD CC ..........).i...
> 0x0040: 6E DE 3C 73 74 72 65 61 6D 3A 73 74 72 65 61 6D n.<stream:stream
> 0x0050: 20 74 6F 3D 27 6A 61 62 62 65 72 2E 6F 72 67 27 to='jabber.org 
> <http://jabber.org>'
> 0x0060: 20 78 6D 6C 6E 73 3A 73 74 72 65 61 6D 3D 27 68 xmlns:stream='h
> 0x0070: 74 74 70 3A 2F 2F 65 74 68 65 72 78 2E 6A 61 62 ttp://etherx.jab
> 0x0080: 62 65 72 2E 6F 72 67 2F 73 74 72 65 61 6D 73 27 
> ber.org/streams <http://ber.org/streams>'
> 0x0090: 20 78 6D 6C 6E 73 3D 27 6A 61 62 62 65 72 3A 63 xmlns='jabber:c
> 0x00A0: 6C 69 65 6E 74 27 20 78 6D 6C 3A 6C 61 6E 67 3D lient' xml:lang=
> 0x00B0: 27 65 6E 27 20 76 65 72 73 69 6F 6E 3D 27 31 2E 'en' version='1.
> 0x00C0: 30 27 3E 3C 73 74 61 72 74 74 6C 73 20 78 6D 6C 0'><starttls xml
> 0x00D0: 6E 73 3D 22 75 72 6E 3A 69 65 74 66 3A 70 61 72 ns="urn:ietf:par
> 0x00E0: 61 6D 73 3A 78 6D 6C 3A 6E 73 3A 78 6D 70 70 2D ams:xml:ns:xmpp-
> 0x00F0: 74 6C 73 22 3E 3C 72 65 71 75 69 72 65 64 20 2F tls"><required /
> 0x0100: 3E 3C 2F 73 74 61 72 74 74 6C 73 3E 16 03 01 02 ></starttls>....
> 0x0110: 00 01 00 01 FC 03 03 19 C1 EE 80 F2 33 72 12 A4 ............3r..
> 0x0120: F2 45 93 D3 D3 5C EE 0C F0 6D 44 1B 71 A6 1A A0 .E...\...mD.q...
> 0x0130: 8A 7D 63 AB AC 4F CF 00 00 9E C0 30 C0 2C C0 32 .}c..O.....0.,.2
> 0x0140: C0 2E C0 2F C0 2B C0 31 C0 2D 00 A5 00 A3 00 A1 .../.+.1.-......
> 0x0150: 00 9F 00 A4 00 A2 00 A0 00 9E C0 28 C0 24 C0 14 ...........(.$..
> 0x0160: C0 0A C0 2A C0 26 C0 0F C0 05 00 6B 00 6A 00 69 ...*.&.....k.j.i
> 0x0170: 00 68 00 39 00 38 00 37 00 36 C0 27 C0 23 C0 13 .h.9.8.7.6.'.#..
> 0x0180: C0 09 C0 29 C0 25 C0 0E C0 04 00 67 00 40 00 3F ...).%.....g. at ...300...?
> 0x0190: 00 3E 00 33 00 32 00 31 00 30 C0 12 C0 08 C0 0D .>.3.2.1.0......
> 0x01A0: C0 03 00 88 00 87 00 86 00 85 00 45 00 44 00 43 ...........E.D.C
> 0x01B0: 00 42 00 16 00 13 00 10 00 0D 00 9D 00 9C 00 3D .B.............=
> 0x01C0: 00 35 00 3C 00 2F 00 84 00 41 00 0A C0 11 C0 07 .5.<./...A......
> 0x01D0: C0 0C C0 02 00 05 00 FF 02 01 00 01 34 00 0B 00 ............4...
> 0x01E0: 04 03 00 01 02 00 0A 00 3A 00 38 00 0E 00 0D 00 ........:.8.....
> 0x01F0: 19 00 1C 00 0B 00 0C 00 1B 00 18 00 09 00 0A 00 ................
> 0x0200: 1A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................
> 0x0210: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................
> 0x0220: 10 00 11 00 23 00 00 00 0D 00 20 00 1E 06 01 06 ....#..... .....
> 0x0230: 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 ................
> 0x0240: 01 03 02 03 03 02 01 02 02 02 03 00 0F 00 01 01 ................
> 0x0250: 00 15 00 BD 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 0x0310: 00 16 03 03 00 07 0B 00 00 03 00 00 00 16 03 03 ................
> 0x0320: 00 46 10 00 00 42 41 04 09 7D 68 14 28 90 1E 4B .F...BA..}h.(..K
> 0x0330: FB D1 12 E0 B1 5E B7 89 B5 49 31 BB A3 C7 4A FA .....^...I1...J.
> 0x0340: 87 DB D1 BE 3A E6 F8 9D ED 57 CA 32 D3 BF DC 94 ....:....W.2....
> 0x0350: EC 3E EA BC 51 3C 70 3E 59 F7 AE 05 D2 66 34 99 .>..Q<p>Y....f4.
> 0x0360: 2F 03 D1 A0 A0 8D 2F 22 14 03 03 00 01 01 16 03 /...../"........
> 0x0370: 03 00 28 BC 46 F6 8E 10 78 3E 0B BF 14 C1 E5 A3 ..(.F...x>......
> 0x0380: C0 3F 0E 1C 83 50 0A 61 6B A8 3E 6D B4 A2 C2 22 .?...P.ak.>m..."
> 0x0390: 51 19 DA 79 13 C3 1F 2D CC 11 3B 17 03 03 00 99 Q..y...-..;.....
> 0x03A0: BC 46 F6 8E 10 78 3E 0C 2C C7 36 8A C6 46 37 0E .F...x>.,.6..F7.
> 0x03B0: 45 7E 5C EE 11 2A E0 29 39 F6 98 85 36 9C 4B D6 E~\..*.)9...6.K.
> 0x03C0: FD 5D 44 81 A3 93 21 39 BF 41 13 56 53 36 BD 47 .]D...!9.A.VS6.G
> 0x03D0: 5E 2A 67 3F 8B 7B 54 9F BF 83 4D A7 03 01 D2 A7 ^*g?.{T...M.....
> 0x03E0: 95 99 B8 E1 DF 01 49 BB 15 5B AF 65 4A 24 D9 30 ......I..[.eJ$.0
> 0x03F0: 42 1C 39 BF 6E 43 5A 28 C6 8F 4F CB 16 A6 87 BA B.9.nCZ(..O.....
> 0x0400: 64 EB C4 B1 03 08 A3 DD 8D 04 64 65 4C 4F FB AA d.........deLO..
> 0x0410: 02 0D BE B7 82 FC 50 D7 45 D5 F1 CC FA B1 C0 FF ......P.E.......
> 0x0420: CC 37 98 6A 2D D9 1E B1 14 E0 7F B8 0D 15 B9 C2 .7.j-...........
> 0x0430: 3D 73 EE BD 39 A9 CA BE 42 17 03 03 00 5E BC 46 =s..9...B....^.F
> 0x0440: F6 8E 10 78 3E 0D 5A D5 66 8D 9D F8 1C 7C AD 42 ...x>.Z.f....|.B
> 0x0450: 49 43 69 B3 7C 0C 4C 5E 8E 84 13 61 8E A7 1C 0D ICi.|.L^...a....
> 0x0460: 66 1D 93 81 01 BC FC 22 5D 39 47 D4 47 29 66 A8 f......"]9G.G)f.
> 0x0470: 6F 7C C4 9A B6 5C 16 6F 9B 4C 58 92 28 D3 40 C0 o|...\.o.LX.(. at ...300...
> 0x0480: 9B BE CD 4B F4 57 AF 9E FF 56 28 FC 31 EB CF 49 ...K.W...V(.1..I
> 0x0490: E8 72 D0 7E 56 B3 40 29 F8 4B E3 AC 17 03 03 00 .r.~V.@).K......
> 0x04A0: 96 BC 46 F6 8E 10 78 3E 0E 3E 12 2B C6 09 1E 9C ..F...x>.>.+....
> 0x04B0: C7 50 25 AA E8 3C 80 5F 1B 12 19 6C D1 D6 CA 38 .P%..<._...l...8
> 0x04C0: 29 F6 40 A6 9A 10 9C 8B E1 34 99 AE 11 CE E2 D5 ). at ...3620...
> 0x04D0: 79 84 4C C8 2D 9A D8 87 D9 35 20 63 2C CD 5F E1 y.L.-....5 c,._.
> 0x04E0: 4D 2C AB E0 D6 9B 50 A1 B3 7E 94 D4 A5 87 2F B5 M,....P..~..../.
> 0x04F0: 66 9B 3A FE CA 31 17 C9 C4 A1 50 53 75 C9 B1 16 f.:..1....PSu...
> 0x0500: 99 2E F6 CE 35 EF B2 DE 78 F8 23 E4 9C BE 2E 1D ....5...x.#.....
> 0x0510: 4C 41 6C 2F 25 F4 D8 19 3E 4C EE DD 04 72 9D 72 LAl/%...>L...r.r
> 0x0520: 4B 16 C5 5F 08 90 F3 C4 B7 AA 5A DD 83 54 6D F9 K.._......Z..Tm.
> 0x0530: EF D7 D9 3C 4A 94 42 17 03 03 00 7C BC 46 F6 8E ...<J.B....|.F..
> 0x0540: 10 78 3E 0F 32 9C CB 7A FF B5 88 2E 97 9F 24 F5 .x>.2..z......$.
> 0x0550: 27 3B 5D FE E6 42 1B 7F 65 7E 9B 70 AB B0 61 D3 ';]..B..e~.p..a.
> 0x0560: B4 96 F4 80 07 79 9B 9C 3A F5 EF 7D 7D E3 1D 5E .....y..:..}}..^
> 0x0570: 75 4D 2C 1F EC B3 A5 12 E5 46 28 4D 05 65 0C E3 uM,......F(M.e..
> 0x0580: FC 5E CF 34 55 3D BC 06 A7 3C A6 55 73 E2 79 39 .^.4U=...<.Us.y9
> 0x0590: 1D 3E 9D 71 55 73 D9 AF ED 2B 20 A4 45 28 5F A8 .>.qUs...+ .E(_.
> 0x05A0: DC 56 00 98 F9 45 B8 9A 38 13 DB D2 4B 86 2F B2 .V...E..8...K./.
> 0x05B0: AB 34 97 F9 7E 46 95 78 17 03 03 00 61 BC 46 F6 .4..~F.x....a.F.
> 0x05C0: 8E 10 78 3E 10 57 EB FA 58 9E 36 17 AE C2 A7 D5 ..x>.W..X.6.....
> 0x05D0: 67 3F 9A 48 BB 65 1A 14 6A 92 C8 D4 A0 02 39 40 g?.H.e..j.....9@
> 0x05E0: EA 26 58 06 52 E0 78 34 A4 18 BC 24 A8 9E 4F 88 .&X.R.x4...$..O.
> 0x05F0: 23 5D B5 60 F8 4D C2 B2 CF 00 81 8F E3 2B 47 B6 #].`.M.......+G.
> 0x0600: CC 37 31 2D 25 BB D3 C2 E9 0F 32 D4 54 15 6B B5 .71-%.....2.T.k.
> 0x0610: 0D 63 FA F2 9C 25 85 40 46 E1 7E A0 3B 85 17 03 .c...%. at ...3621...~.;...
> 0x0620: 03 00 6A BC 46 F6 8E 10 78 3E 11 3E 20 DF 1C B6 ..j.F...x>.> ...
> 0x0630: E0 6B 25 FF F7 13 92 3E 00 E7 A8 0B E2 8A ED 41 .k%....>.......A
> 0x0640: DE 7E 7C 7F 64 EF CF 46 20 93 03 1E 91 EF 31 48 .~|.d..F .....1H
> 0x0650: 66 21 7F 9C 99 11 1F 0C C9 62 3D A4 2F BC 72 F2 f!.......b=./.r.
> 0x0660: B2 EB 14 48 9C C2 ED 1A 68 E5 8E CE 31 ED FD A5 ...H....h...1...
> 0x0670: 60 38 0B 19 A1 38 C5 A6 24 2E 52 A2 30 18 3B 58 `8...8..$.R.0.;X
> 0x0680: 22 90 75 18 BE FB CD 7D 40 DE 97 20 9E 17 03 03 ".u....}@.. ....
> 0x0690: 00 5E BC 46 F6 8E 10 78 3E 12 65 66 BE DD 86 BE .^.F...x>.ef....
> 0x06A0: 61 81 34 43 0A 08 E0 1D 08 85 E7 BF 44 0A E4 28 a.4C........D..(
> 0x06B0: FE 80 16 73 77 1D AD 53 DE 9F A7 79 BC 54 34 A7 ...sw..S...y.T4.
> 0x06C0: E7 FD 27 E4 8E E6 9F 2F 08 99 D5 5C 6E E6 D4 A8 ..'..../...\n...
> 0x06D0: 80 1D 26 3E 85 0D 6C BF 2E E3 4A F4 FF FE 52 FF ..&>..l...J...R.
> 0x06E0: 27 CC 63 D6 E8 C0 61 A3 5D E6 30 51 18 78 F4 41 '.c...a.].0Q.x.A
> 0x06F0: 17 03 03 00 28 BC 46 F6 8E 10 78 3E 13 37 FA 11 ....(.F...x>.7..
> 0x0700: 5A 81 54 B8 4D 95 4B 71 7A 60 1F 5E 1B CF 84 03 Z.T.M.Kqz`.^....
> 0x0710: D6 09 C4 B3 D2 AB 2A ED 5C 86 7B 6F 19 ......*.\.{o.
>
> I'd be curious what other details you can provide about this issue and 
> it's resolution.  It is my understanding that using the "dsize" 
> keyword will force a rule to not be applied against reassembled 
> streams (except if PAF is enabled and supported then it is applied 
> against the PDU).  I sugest a similar solution to this issue but not 
> make an exception for PAF.
>
> Thanks!
>
> -Mike Cox
>
>
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151104/f7fa1bd5/attachment.html>


More information about the Snort-devel mailing list