Re: Snort detection engine vulnerability

[James Hoagland <hoagland () SiliconDefense com>]

Hello Moritz,

Thanks for bring this up.  I wouldn't call this a vulnerability in 
Snort though.  Vulnerability implies there is some way to abuse Snort 
to cause it to do a bad thing (such as stop running).  This is not 
the case.

I believe you analysis is correct, however my take is different. 
Someone might more accurately call this a misclassification by Snort. 
I wouldn't even agree with that label though for two reasons:

+ the first match was a valid match per the signature.  So as far as 
Snort (or any other signature-based IDS) knows, this is an actual 
exploit.

+ match only once is the documented behavior of snort.  Therefore, 
Snort's reaction is within its established semantics.  Anyone 
analyzing Snort's alerts needs to do so with respect to its semantics.

I would say, though, that a command line option that people could use 
to cause Snort to match all rules possible might be a nice feature.

Sincerely,

  Jim

At 2:08 AM +0200 7/31/01, Moritz Jodeit wrote:
> Hi,
>
> I think I found a design flaw in Snort's detection engine.
> The detection engine checks each package and the first rule that matches,
> triggers the action specified in the rule. The problem is, that once an action
> was triggered, no more checks are done on the package. It is possible for
> someone to put a fake exploit at the beginning of a packet and put the real
> exploit after the fake one. This way, the fake exploit triggers the rule and
> the real exploit doesn't get detected.
>
> http://snort.protected.host.com/test-cgi/../[insert your favourite 
> iis exploit]
>
> This sample triggers the "WEB-CGI test-cgi access" rule, while the 
> real exploit
> doesn't get logged.
>
> I sent two emails to roesch () clark net, but didn't get any response, so I send
> it to the list...
>
> --
> Moritz Jodeit
> http://www.jodeit.org/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users