[Snort-users] Reassembled packets from Frag3 and Stream5

Rayne hjazz6 at ...14432...
Thu Oct 16 01:04:59 EDT 2008

Let me know if I understand this correctly.

Say I have a large HTML file that gets passed from the application layer to the TCP layer. TCP will look at this stream of data and divide it into segments, and append a TCP header to each segment. Each TCP segment will then be passed to the IP layer. If the TCP segment is larger than the MTU, then IP will further break up the TCP segments into fragments that are each smaller than the MTU. Each of these fragments will then have an IP header appended to it. This also means that some of these IP fragments will not have a TCP header. These IP fragments are then passed to the network layer.

Now, when these IP fragments are passed through the preprocessors, they first go through Frag3. The IP fragments are reassembled and form the TCP segments from before. At this stage, the original HTML file is still in chunks and not whole yet. These TCP segments then pass through the Stream5 preprocessor, where they are reassembled, and we are able to obtain the original HTML data.

If the TCP segments were smaller than the MTU size, then there would be no IP fragmentation, and these TCP segments would then pass through Frag3 unchanged.

If I have a string "ABCDEF" that I want to match, but the string spans across 2 fragments, i.e. "ABC" on one and "DEF" on the other, am I right to say the reassembled pseudo-packet by Frag3 and Stream5 will trigger the alert? What about UDP fragments?

Off-topic: How do I reply such that my posting appears within/under the previous relevant post, instead of creating a new posting/topic everytime I reply?

Thank you.


--- On Wed, 10/15/08, Matt Olney <molney at ...1935...> wrote:
From: Matt Olney <molney at ...1935...>
Subject: Re: [Snort-users] Reassembled packets from Frag3 and Stream5
To: wu_weidong at ...131...
Cc: snort-users at lists.sourceforge.net
Date: Wednesday, October 15, 2008, 1:03 PM

Pseudo packets from the Frag3 processor are then eligible to be stream reassembled in stream5.  Snort does not differentiate between pseudo packets or regular packets for the purpose of reassembly.  To extend your question somewhat, it is possible to alert more than once on a single attack.  If that attack is contained within one fragment, Snort will alert again on the reassembled packet.  If that packet is part of a stream, Snort will alert a third time on the reassembled stream.

The performance gain comes from the use of the flowbits: and flow:.  By being aware of the state of the stream, and being able to bail early in the rules evaluation process based on that state, we can avoid unnecessary load..  For example, flow: is very important in the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bersek 1.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Init; content:"|23|[version]1.0"; depth:13; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0..html; classtype:trojan-activity; sid:9657; rev:3;)

Because of the nature of the backdoor, we won't know for sure what tcp port it is listening on.  However, Stream5 tells us whether a packet is destined for a server or a client and using the "flow: to_server, established" check means we don't have to do any of the other checks if the packet is going the wrong way.  Further, the use of the Backdoor.Bersek.Init flowbit means that the stream must have already been tagged with a flowbit or, once again, we'll bail on the detection, avoiding unnecessary processing.

You might want to check out the performance rules slides at http://www.snort.org/vrt/docs/white_papers/, it might make some of this more clear.


On Tue, Oct 14, 2008 at 8:53 PM, Wu Wei Dong <wu_weidong at ...131...> wrote:

So it's possible for the pseudo-packets reassembled by Frag3 and Stream5 to be identical, in terms of both the headers and payload, if the fragments are the same? Do the pseudo-packets go through the preprocessors again, since the decoder comes before the preprocessors?

Also, what do you mean by "performance increase that is gained by handling flows with an understanding of the stream state."?

Thank you.



--- On Tue, 10/14/08, Matt Olney <molney at ...1935...> wrote:

> From: Matt Olney <molney at ...1935...>

> Subject: Re: [Snort-users] Reassembled packets from Frag3 and Stream5

> To: hjazz6 at ...14432...

> Cc: snort-users at lists.sourceforge.net

> Date: Tuesday, October 14, 2008, 9:00 PM

> The reassembled packets are identical to the combined

> payloads of the

> packets that are reassembled.  Snort reinjects the

> reassembled packets

> (pseudopackets) at the decoder level and detection is run

> against the

> reassembled packets.  While this does indeed add load to

> the system, this

> cost is entirely acceptable given the decrease in trivial

> evasion

> possibilies and is more than offset by the by performance

> increase that is

> gained by handling flows with an understanding of the

> stream state.


> Matt


> On Tue, Oct 14, 2008 at 4:42 AM, Rayne

> <hjazz6 at ...14432...> wrote:


> > Hi all,

> >

> > I know that Frag3 reassembles IP fragments, and

> Stream5 reassembles TCP

> > fragments. So are the reassembled packets identical,

> i.e. in terms of

> > payload? And wouldn't this increase the volume of

> traffic passed into the

> > detection engine and cause it to run slower, since

> there are now more

> > packets to check against the rules?

> >

> > Thank you.

> >

> > Regards,

> > Rayne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081015/364d4a72/attachment.html>

More information about the Snort-users mailing list