[Snort-users] Reassembled packets from Frag3 and Stream5

Matt Olney molney at ...1935...
Wed Oct 15 09:03:21 EDT 2008


Pseudo packets from the Frag3 processor are then eligible to be stream
reassembled in stream5.  Snort does not differentiate between pseudo packets
or regular packets for the purpose of reassembly.  To extend your question
somewhat, it is possible to alert more than once on a single attack.  If
that attack is contained within one fragment, Snort will alert again on the
reassembled packet.  If that packet is part of a stream, Snort will alert a
third time on the reassembled stream.

The performance gain comes from the use of the flowbits: and flow:.  By
being aware of the state of the stream, and being able to bail early in the
rules evaluation process based on that state, we can avoid unnecessary
load.  For example, flow: is very important in the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bersek 1.0
runtime detection - init connection"; flow:to_server,established;
flowbits:isset,Backdoor.Bersek.Init; content:"|23|[version]1.0"; depth:13;
nocase; threshold:type limit, track by_src, count 1, seconds 300;
metadata:policy security-ips alert; reference:url,
www.megasecurity.org/trojans/b/bersek/Bersek1.0.html;
classtype:trojan-activity; sid:9657; rev:3;)

Because of the nature of the backdoor, we won't know for sure what tcp port
it is listening on.  However, Stream5 tells us whether a packet is destined
for a server or a client and using the "flow: to_server, established" check
means we don't have to do any of the other checks if the packet is going the
wrong way.  Further, the use of the Backdoor.Bersek.Init flowbit means that
the stream must have already been tagged with a flowbit or, once again,
we'll bail on the detection, avoiding unnecessary processing.

You might want to check out the performance rules slides at
http://www.snort.org/vrt/docs/white_papers/, it might make some of this more
clear.

Matt


On Tue, Oct 14, 2008 at 8:53 PM, Wu Wei Dong <wu_weidong at ...131...> wrote:

> So it's possible for the pseudo-packets reassembled by Frag3 and Stream5 to
> be identical, in terms of both the headers and payload, if the fragments are
> the same? Do the pseudo-packets go through the preprocessors again, since
> the decoder comes before the preprocessors?
>
> Also, what do you mean by "performance increase that is gained by handling
> flows with an understanding of the stream state."?
>
> Thank you.
>
> Regards,
> Rayne
>
> --- On Tue, 10/14/08, Matt Olney <molney at ...1935...> wrote:
>
> > From: Matt Olney <molney at ...1935...>
> > Subject: Re: [Snort-users] Reassembled packets from Frag3 and Stream5
> > To: hjazz6 at ...14432...
> > Cc: snort-users at lists.sourceforge.net
> > Date: Tuesday, October 14, 2008, 9:00 PM
> > The reassembled packets are identical to the combined
> > payloads of the
> > packets that are reassembled.  Snort reinjects the
> > reassembled packets
> > (pseudopackets) at the decoder level and detection is run
> > against the
> > reassembled packets.  While this does indeed add load to
> > the system, this
> > cost is entirely acceptable given the decrease in trivial
> > evasion
> > possibilies and is more than offset by the by performance
> > increase that is
> > gained by handling flows with an understanding of the
> > stream state.
> >
> > Matt
> >
> > On Tue, Oct 14, 2008 at 4:42 AM, Rayne
> > <hjazz6 at ...14432...> wrote:
> >
> > > Hi all,
> > >
> > > I know that Frag3 reassembles IP fragments, and
> > Stream5 reassembles TCP
> > > fragments. So are the reassembled packets identical,
> > i.e. in terms of
> > > payload? And wouldn't this increase the volume of
> > traffic passed into the
> > > detection engine and cause it to run slower, since
> > there are now more
> > > packets to check against the rules?
> > >
> > > Thank you.
> > >
> > > Regards,
> > > Rayne
> > >
> > >
> > >
> > -------------------------------------------------------------------------
> > > This SF.Net email is sponsored by the Moblin Your Move
> > Developer's
> > > challenge
> > > Build the coolest Linux based applications with Moblin
> > SDK & win great
> > > prizes
> > > Grand prize is a trip for two to an Open Source event
> > anywhere in the world
> > >
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > >
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> > Snort-users<
> https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list
> > archive:
> > >
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move
> > Developer's challenge
> > Build the coolest Linux based applications with Moblin SDK
> > & win great prizes
> > Grand prize is a trip for two to an Open Source event
> > anywhere in the world
> >
> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081015/87a11f9e/attachment.html>


More information about the Snort-users mailing list