[Snort-users] Evasion Due to Multiple Instances of SPAN Traffic

Benjamin Small benjamin.small83 at ...11827...
Thu Jun 28 16:16:54 EDT 2007


While working with Snort I noticed a situation where snort was
inadvertently being evaded.
I have narrowed the root cause down to the stream4 preprocessor. When
reassembling both to_client
and to_server streams, it appears that duplicating certain packets causes
snort to miss an attack.
I demonstrate this in an attack where I attempt an /etc/passwd grab. None of
the attacker's packets
are duplicated, but I send three instances of the first response from the
server containing a payload
(and only the first packet with payload seems to matter). Oddly enough, if
you read the pcap as a file
"snort -r evaded.pcap", Snort fires. However, if snort is reading this
traffic from an interface it misses
the attack. To test this I used tcpreplay on a separate host.

This becomes a potential problem in IDS setups where traffic is being SPAN'd
to a monitoring interface
more than once. Since this can potentially cause every attack against an
application that utilizes TCP
to be missed, I wanted to bring this to the community's attention. This is
more common in environments
where complex SPAN sessions are used to relay data from multiple sources to
an IDS for monitoring.

I am attaching a pcap and the configuration used in my test. Disabling the
stream4 preprocessor or
setting the "noinspect" option prevents the IDS from missing the attack. The
pcap contains a series of
12 unique packets. The 8th unique packet is replicated twice, resulting in
three instances of the initial
response from the webserver after the attempted /etc/passwd grab. I only
replicated this packet since
after trying different variations of duplicating other packets, it appears
this packet was key for missing
the attack. I have attached a spreadsheet containing data surrounding my
tests. Each column contains
the number of times each packet in the sequence was transmitted.

Benjamin Small
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070628/5d67d222/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: evaded.pcap
Type: application/cap
Size: 2932 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070628/5d67d222/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: evaded.conf
Type: application/octet-stream
Size: 942 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070628/5d67d222/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SnortEvadedSeq.ods
Type: application/vnd.oasis.opendocument.spreadsheet
Size: 10244 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070628/5d67d222/attachment.ods>

More information about the Snort-users mailing list