[Snort-users] What do I need to configure in snort.conf to protect against segmentation attacks?

Emeka Agu mainmen1985 at ...11827...
Mon Aug 27 06:24:04 EDT 2012


Hi all again. I had to directly email Joel for this, just seeing if anyone
else can see what's going on:

*So my rule now is*

alert tcp any any -> 192.68.4.250  any  (msg:”Testing TCP Flow”;
>> flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;
>>
>
*My payload for 3 packets is: "/roo", "t/hac" and "ked", sent
as separate streams, with flags "PA"*
*set*
*
*
*My Stream5 con in snort.conf is:*
*
*

preprocessor stream5_global: track_tcp yes, \
   track_udp no, \
   track_icmp no, \
preprocessor stream5_tcp: policy First, detect_anomalies, \
    ports client 23

(rest is truncated)


*My Windows 7 machine sees the payload from port 23 as: /root/hacked. *
*
*
*But Snort see nada. Absolutely nothing. Snort does work with my
custom attacks to, so I know it's working OK.*
*
*
*I have no idea what's going on! Please help!*



*
*
On 26 August 2012 11:44, Gmail Personal <mainmen1985 at ...11827...> wrote:

> I should also add I changed the port targeted to 22, just in case
> something was going weird. And I have added the port to the Stream5 option
>
> Weird!
>
> *Emeka* Agu | Sent from  *iPad*
>
> On 26 Aug 2012, at 11:30, Emeka Agu <mainmen1985 at ...11827...> wrote:
>
> Hi Tony thanks for the help. Still get the problem!
>
> I followed this guide too:
> http://searchsecuritychannel.techtarget.com/tip/Snorts-Stream5-and-TCP-overlapping-fragmentswhere Richard did exactly the same thing as me
>
> And edited my Stream5 TCP policy to include the reassembly Port, but it
> still didn't detect anything. Surely something is wrong, or is Snort that
> easily beaten by segmented TCP streams?
>
> Thanks
>
> On 23 August 2012 18:27, Tony Robinson <deusexmachina667 at ...11827...> wrote:
>
>> I'd check your frag3 and stream 5 settings in snort.conf, verify that
>> stream5 is enabled and that TCP streams are being assembled. according to
>> the snort manual, stream reassembly for port 80 from client operating
>> systems is a default setting in snort.conf -- Double check that, maybe set
>> port 80 to both. Additionally, look into the stream_assembly rule option,
>> and integrate it into your rule to ensure that TCP streams are being
>> reassembled.
>>
>> http://manual.snort.org/node33.html#SECTION004621000000000000000
>>
>> In regards to ip fragmentation, try changing frag3 back to the defaults
>> and see what happens.
>>
>> Try running a packet capture (i.e. use snort, wireshark, tshark or
>> tcpdump) and get a pcap on the interface snort is listening on to ensure
>> the traffic is being dropped/modified somewhere in transit -- you need to
>> verify what your snort sensor is seeing.
>>
>> Hope this helps,
>>
>> -Tony
>>
>> On Thu, Aug 23, 2012 at 2:55 AM, Emeka Agu <mainmen1985 at ...11827...> wrote:
>>
>>> Hi there, I've created some code in Scapy to create a successful 3WH and
>>> then push a segmented keyword (/root/hacked) over 3 packets.
>>>
>>> I also created these three rules in snort (I know the rule with no flow
>>> direction set is pointless, but I needed it to confirm my findings)
>>>
>>> 1) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP”;
>>> content:”/root/hacked”; nocase; sid:11112;)
>>>
>>>
>>>
>>> 2) alert ip any any -> $HOME_NET  80 (msg:”Testing IP Frag”;
>>> content:”/root/hacked”; nocase; sid:11113;)
>>>
>>>
>>>
>>> 3) alert tcp any any -> $HOME_NET  80 (msg:”Testing TCP Flow”;
>>> flow:to_server, established; content:”/root/hacked”; nocase; sid:11114;)
>>>
>>>
>>> But none of them are alerted when I send the packets. Wireshark manages
>>> to see the packets and when I select Follow TCP Stream, and it displays the
>>> content in full.
>>>
>>>
>>> IP tables has been turned off too I tested with an earlier evasion
>>> attempt just using a fragmented packet where it split the keyword into
>>> "/roo" and "t/hacked" and  Snort detected it. I used exactly the same
>>> destination and source ports, same IP source and destination, too.
>>>
>>>
>>> So I am presuming it's something to do with my snort.conf file. I've
>>> left most of the options as default, I just changed the policies to linux,
>>> as I am using Backtrack as the Snort IDS
>>>
>>>
>>> Can anyone give me any guidance please?
>>>
>>> Cheers,
>>>
>>>
>>> Emeka
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>>
>> --
>> when does reality end? when does fantasy begin?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120827/a2c1b761/attachment.html>


More information about the Snort-users mailing list