[Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

Matt Olney molney at ...1935...
Tue Dec 1 15:55:37 EST 2009


Also, I wanted to thank Russ Combs, the Sourcefire developer who
worked on this.  It's damn handy to be able to walk down the hall and
chat snort internals with the folks that built it, and we at the VRT
abuse this privilege regularly.

Thanks!

Matt

On Tue, Dec 1, 2009 at 3:53 PM, Matt Olney <molney at ...1935...> wrote:
> Howdy all,
>
> First, as I'm not subscribed to the Emerging-sigs list, I'm not
> certain if this will make it there, if someone would be so kinds as to
> foward it, I would be grateful.
>
> I'd like to close the loop a little on the "4-way handshake" problem.
> We did some preliminary investigation into this and found that it was
> possible to bypass rules using this.  The VRT did the initial testing
> and the case was then passed to the Snort team.  Their testing
> revealed a config change that would ensure that the snort rules would
> alert properly in the face of a malicious server implementing a 4-way
> capable stack.
>
> The modification is to add the following value to your "preprocessor
> stream5_tcp:" line:
>
> require_3whs
>
> To be clear, in the testing I'm going to show below, here are my values:
>
> (failed test)     preprocessor stream5_tcp: policy first,
> use_static_footprint_sizes
> (passed test)  preprocessor stream5_tcp: policy first,
> use_static_footprint_sizes, require_3whs
>
> Here is the rules file I used to test:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
> http_inspect method check"; flow: to_server, established;
> content:"GET"; http_method; sid: 3;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
> standard content match and flow check"; flow: to_server, established;
> content:"GET"; http_method; sid: 4;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Get with
> standard content match and no flow check"; content:"GET"; sid: 6;)
>
> Here is the output I ran, failed tests first: (Using the fake.pcap
> from http://malforge.com/node/20):
>
> Snort Test Suite v.0.3.0
>
> Alerts:
> 1:6:0           Get with standard content match and no flow check
>          Alerts: 1
>
> In this case, we only alerted on the standard content match without
> flow enforcement.  This indicates that stream5 has incorrectly
> interpreted the stream.  Remember that both the flow keywords, as well
> as the http_method modifier require stream5 to have properly marked a
> stream in order to function.
>
> Here are the tests after I added the require_3whs:
>
> Snort Test Suite v.0.3.0
>
> Alerts:
> 1:3:0           Get with http_inspect method check
>          Alerts: 1
> 1:4:0           Get with standard content match and flow check
>          Alerts: 1
> 1:6:0           Get with standard content match and no flow check
>          Alerts: 1
>
> We now correctly alert on checks in both the http_inspect preprocessor
> and the flow direction.
>
> I'll put together a blog post, but since this issue was discussed
> here, I wanted to drop the information so you had our answer.
>
> Matt
>




More information about the Snort-users mailing list