Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission

[Russ Combs <rcombs () sourcefire com>]

On Wed, Aug 8, 2012 at 8:18 AM, Amm Snort <ammdispose-snort () yahoo com>wrote:

> Hello all,
>
> I am using snort 2.9.2.3 in inline (NFQUEUE) mode and kernel
> 3.4.6-1.fc16.x86_64 on Fedora 16.
>
>
> Everything works fine. Snort also records alerts.
>
> I am using normalize_tcp as follows:
>
>      preprocessor normalize_tcp: ips ecn stream
>
>
>
> I am noticing peculiar problem.
>
> If, for some reason, first SYN packet is lost then snort drops all
> following retry-SYN packets.
>
> This I could track using tshark (monitor port 80) and my own web server
> somewhere on internet.
>
> I ran following test to find out issue:
>
>
> 1) Enable normalize_tcp as above and restart snort
>
> 2) Add DROP rule on webserver for port 80 i.e. it should not respond to
> packets on port 80
>     This indirectly imitates a packet loss
> 3) telnet webserver 80
> 4) Monitor tshark
> 5) tshark just shows one SYN packet whereas, it should in general resend
> SYN every 1, 4 and 8 seconds
>
> 6) Now comment (disable) normalize_tcp rule and restart snort
> 7) telnet webserver 80
> 8) Monitor tshark
> 9) This time tshark shows repeated SYN packets (which is as expected)
>
>
> So here I have faked the packet loss, but if in real situation then first
> SYN packet is lost
> due to some network problem then snort never allows to send next SYN
> packet. (retried SYN)
>
> And hence that connection times out eventually.
>
> This is true for all ports not just 80. Port 80 I have just taken as
> example.
> It also cause database connection timeouts, POP server timeouts in case
> first SYN was dropped.
>
>
> I believe "normalize_tcp" drops retry-SYNs because they do not match first
> SYN packet.
>
> So is there any work around for this? Or am I missing any configuration
> directive?
>
> We have already fixed this for the 2.9.4 release.  The workaround for now
is to disable normalize_tcp.

> Please do let me know,
>
> Thanks in advance.
>
> Amm Snort.
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!