[Snort-users] Question on stream4 preprocessor
sgt_b at ...11733...
Mon May 3 05:00:05 EDT 2004
Thanks for the tip Fred. I went ahead and installed 2.1.3RC1, and added:
"config event_queue: max_queue 8 log 3 order_events content_length" to
my snort.conf file. Unfortunately, it appears that snort still does not
log the chunked encoding vulnerability, just the libwhisker attempts. It
should also be noted that I've used other Nessus plugins besides the
chunked encoding vulnerability with the same results.
Based on these tests it appears that one could obfuscate their attacks
by triggering other alerts in the same stream to mask the real attack.
If anyone can shed some light on this subject I'd appreciate it.
Fred McFeeters wrote:
>I don't know much about snort but I noticed on there web site thtat the new
>version can have multiple alerts per packet. Witch would leave me to believe
>that the old one couldn't, so its seeing the libwhisker first and then
>ignoring the chunked encoding.
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of sgt_b
>Sent: Tuesday, April 27, 2004 11:03 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Question on stream4 preprocessor
>Let's say an exploit is sent from one host to another, one byte at a
>time. It's the stream4_reassemble preprocessor's job to reassemble each
>byte of that session into its intended form, and pass that down to the
>detection engine. From there the exploit attempt should be detected by
>I've tested this, and it works of course.
>Here's my question though. As each packet is sent over the wire snort
>picks it up one packet at a time. Each packet along the stream is sent
>to the detection engine as well. If one of these packets triggers an
>alert, what is supposed to happen?
> From what I've read, it looks to me like there should be an alert
>generated for that packet, as well as the entire stream once the session
>is reassembled by stream4.
>In practice though, I've noticed some different behavior. In testing
>Nessus's Injection TCP NIDS evasion feature, I've notcied some
>inconsistencies in Snort's reactions.
>I'm testing this using the Apache Chunked encodiing vulnerability
>plugin. Utilizing the Injection method, Nessus will send the exploit to
>the webserver one character at a time (ie G in one packet, E in the
>next, T in another, etc) along with garbage packets in between.
>Snort will alert on any of the valid packets that only contain a '.' or
>|20| as a libwhisker space splicing attempt. It will not however send
>any alerts regarding the Chunked Encoding vulnerability.
>At first I questioned stream4, but if I disable the libwhisker rule,
>stream4 reassembles the packet just fine, and an alert is issued for the
>chunked encoding vulnerability.
>Shouldn't two alerts be issued though? One for the libwhisker attempt,
>and once the stream is reassembled, one for the chunked encoding
>This SF.Net email is sponsored by: Oracle 10g
>Get certified on the hottest thing ever to hit the market... Oracle 10g.
>Take an Oracle 10g class now, and we'll give you the exam FREE.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users