[Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

Matt Olney molney at ...1935...
Tue Dec 1 15:53:18 EST 2009


Howdy all,

First, as I'm not subscribed to the Emerging-sigs list, I'm not
certain if this will make it there, if someone would be so kinds as to
foward it, I would be grateful.

I'd like to close the loop a little on the "4-way handshake" problem.
We did some preliminary investigation into this and found that it was
possible to bypass rules using this.  The VRT did the initial testing
and the case was then passed to the Snort team.  Their testing
revealed a config change that would ensure that the snort rules would
alert properly in the face of a malicious server implementing a 4-way
capable stack.

The modification is to add the following value to your "preprocessor
stream5_tcp:" line:

require_3whs

To be clear, in the testing I'm going to show below, here are my values:

(failed test)     preprocessor stream5_tcp: policy first,
use_static_footprint_sizes
(passed test)  preprocessor stream5_tcp: policy first,
use_static_footprint_sizes, require_3whs

Here is the rules file I used to test:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
http_inspect method check"; flow: to_server, established;
content:"GET"; http_method; sid: 3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
standard content match and flow check"; flow: to_server, established;
content:"GET"; http_method; sid: 4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
standard content match and no flow check"; content:"GET"; sid: 6;)

Here is the output I ran, failed tests first: (Using the fake.pcap
from http://malforge.com/node/20):

Snort Test Suite v.0.3.0

Alerts:
1:6:0           Get with standard content match and no flow check
          Alerts: 1

In this case, we only alerted on the standard content match without
flow enforcement.  This indicates that stream5 has incorrectly
interpreted the stream.  Remember that both the flow keywords, as well
as the http_method modifier require stream5 to have properly marked a
stream in order to function.

Here are the tests after I added the require_3whs:

Snort Test Suite v.0.3.0

Alerts:
1:3:0           Get with http_inspect method check
          Alerts: 1
1:4:0           Get with standard content match and flow check
          Alerts: 1
1:6:0           Get with standard content match and no flow check
          Alerts: 1

We now correctly alert on checks in both the http_inspect preprocessor
and the flow direction.

I'll put together a blog post, but since this issue was discussed
here, I wanted to drop the information so you had our answer.

Matt




More information about the Snort-users mailing list