Snort mailing list archives
Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 20 Aug 2013 10:07:17 -0400
My bad - this is a different thread with "and by extension on Darwin". Somehow the original message fell through the cracks. I'll investigate. Thanks for the bump. Russ On Tue, Aug 20, 2013 at 8:35 AM, Russ Combs <rcombs () sourcefire com> wrote:
On Tue, Aug 20, 2013 at 3:43 AM, Bram <bram-fabeg () mail wizbit be> wrote:Hi, Was this message taken into consideration? (I received no reply on it?)I just now got and responded to the original. Haven't seen it before.Even if the code is left unchanged it seems appropriate to mention this in the documentation of the '129-14' rule.. (speaking of which: it seems documentation for '129:14' is missing?) Best regards, Bram Quoting Bram <bram-fabeg () mail wizbit be>: Hi,The TCP implementation on *BSD (and by extension on Darwin) appears to contain a bug: When the TCP session is idle then it sends a 'TCP Keep-Alive' packet to determine if the connection still exists. This is expected. However: the 'TCP Keep-Alive' packet does not have the timestamp options set.. This causes snort to generate the alert 'STREAM5_NO_TIMESTAMP'. While the event is correct it is a bit undesirable since this makes it difficult to see unexplained anomalies/actual 'problems. Attached is a patch which detects the 'TCP KeepAlive' packets send by BSD/Darwin and prevents the alert from being generated. I'm not sure if the 'TCP KeepAlive' packet should be ignored by default.. perhaps it's better to add a config options for it? Also: when *BSD/Darwin sends an ack on a 'TCP Keep-Alive' packet then it does appear to include the timestamp. (This was detected due to a PPTP client being connected from a Mac - tcp idle -> keep alives send) Attached are four dumps: * keepalive.pcap: connection between NetBSD and Linux (NetBSD sending Keep-Alive) * keepalive2.pcap: connection between NetBSD and NetBSD * keepalive4.pcap: connection between Linux and NetBSD host (Linux sending Keep-Alive) * no_timestamp.pcap: tcp session created using raw sockets Configuration file used: config checksum_mode: all dynamicpreprocessor directory /usr/lib/snort_** dynamicpreprocessor/ preprocessor stream5_global: track_tcp yes, \ track_udp no, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072 preprocessor stream5_tcp: policy windows, detect_anomalies alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1; metadata: rule-type preproc ; ) output alert_fast: stdout Output: $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/keepalive.pcap 2>&1 | grep '129:' 07/22-14:16:03.787282 [**] [129:14:1] TCP Timestamp is missing [**] [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666 07/22-14:16:13.787173 [**] [129:14:1] TCP Timestamp is missing [**] [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666 $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/keepalive2.pcap 2>&1 | grep '129:' 07/22-14:18:45.965624 [**] [129:14:1] TCP Timestamp is missing [**] [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666 07/22-14:18:55.965523 [**] [129:14:1] TCP Timestamp is missing [**] [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666 $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/keepalive3.pcap 2>&1 | grep '129:' $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/no_timestamp.pcap 2>&1 | grep '129:' 08/01-16:33:02.253871 [**] [129:14:1] TCP Timestamp is missing [**] [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705 Output with patched version: $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/keepalive.pcap 2>&1 | grep '129:' $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/keepalive2.pcap 2>&1 | grep '129:' $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/keepalive3.pcap 2>&1 | grep '129:' $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/ -r /tmp/no_timestamp.pcap 2>&1 | grep '129:' 08/01-16:33:02.253871 [**] [129:14:1] TCP Timestamp is missing [**] [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705 => No alert on TCP Keep-Alive from BSD/Darwin. Best regards, Bram------------------------------**------------------------------**---- This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Bram (Aug 01)
- Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Bram (Aug 20)
- Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Russ Combs (Aug 20)
- Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Russ Combs (Aug 20)
- Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Joel Esler (Aug 20)
- Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Russ Combs (Aug 20)
- Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Bram (Aug 20)