[Snort-users] Snort Evasion?

Martin Roesch roesch at ...1935...
Sun Mar 17 17:10:04 EST 2002

Hi Rob,
     You're almost right.  When the sequence number rolls over *and* the
starting (base) sequence = 0 for *this flush* stream4 will ignore it because
it doesn't have PAWS built in (well, it probably will by the end of
tonight).  From the code:

    if(s->last_ack == 0 ||
       s->base_seq == 0 ||
       (s->last_ack < s->base_seq) ||
       (s->last_ack - s->base_seq > 65535))
        /* yeah, I know this is lame, we'll fix it */
        DeleteSpd(s->dataPtr, gotevent);

See, I even say it's lame in the comments. :)  To really resolve this
requires us to do a lot more TCP options processing in stream4, which we are
now working on.

It should be noted that this only works for the current segment set, once
the flush happens it'll pick back up on the stream data.  You can evade it,
but only until the flush point is hit.  I suppose a simple hack of a fix
(without implementing full PAWS) is to flush when the rollover is detected
automatically and keep the pre-rollover segment and reflush that one when
the next flush point it hit.  This would be similar to the behavior that was
implemented for segments that aren't fully ACK'd when they get flushed...


On 3/17/02 5:28 PM, "IDS Expect" <robertgoldman2000 at ...131...> wrote:

> Hi,
> I have been examining the snort 1.8.4 source code and
> I think I found a very simple way to evade Snort if
> and when stream4 is in use.
> It seems like in spp_stream4.c, FlushStream() will
> ignore all packets if base_seq is zero. Well, base_seq
> is set to the sequence number of the first data byte.
> What if the attacker initializes her TCP connection's
> sequence number to 0xffffffff. This well make base_seq
> zero and Snort will further ignore any data on this
> connection.
> Am I right?
> --rob 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
> http://sports.yahoo.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list