Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin

From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 20 Aug 2013 10:07:17 -0400
My bad - this is a different thread with "and by extension on Darwin".

Somehow the original message fell through the cracks.  I'll investigate.

Thanks for the bump.

Russ

On Tue, Aug 20, 2013 at 8:35 AM, Russ Combs <rcombs () sourcefire com> wrote:




On Tue, Aug 20, 2013 at 3:43 AM, Bram <bram-fabeg () mail wizbit be> wrote:


Hi,


Was this message taken into consideration? (I received no reply on it?)



I just now got and responded to the original.  Haven't seen it before.



Even if the code is left unchanged it seems appropriate to mention this
in the documentation of the '129-14' rule.. (speaking of which: it seems
documentation for '129:14' is missing?)


Best regards,

Bram


Quoting Bram <bram-fabeg () mail wizbit be>:

 Hi,



The TCP implementation on *BSD (and by extension on Darwin) appears to
 contain a bug:
When the TCP session is idle then it sends a 'TCP Keep-Alive' packet  to
determine if the connection still exists.
This is expected.

However: the 'TCP Keep-Alive' packet does not have the timestamp options
set..
This causes snort to generate the alert 'STREAM5_NO_TIMESTAMP'.

While the event is correct it is a bit undesirable since this makes it
 difficult to see unexplained anomalies/actual 'problems.

Attached is a patch which detects the 'TCP KeepAlive' packets send by
 BSD/Darwin and prevents the alert from being generated.
I'm not sure if the 'TCP KeepAlive' packet should be ignored by
 default.. perhaps it's better to add a config options for it?

Also: when *BSD/Darwin sends an ack on a 'TCP Keep-Alive' packet then
 it does appear to include the timestamp.

(This was detected due to a PPTP client being connected from a Mac -
 tcp idle -> keep alives send)


Attached are four dumps:
* keepalive.pcap: connection between NetBSD and Linux (NetBSD sending
 Keep-Alive)
* keepalive2.pcap: connection between NetBSD and NetBSD
* keepalive4.pcap: connection between Linux and NetBSD host (Linux
 sending Keep-Alive)
* no_timestamp.pcap: tcp session created using raw sockets



Configuration file used:
       config checksum_mode: all
       dynamicpreprocessor directory /usr/lib/snort_**
dynamicpreprocessor/
       preprocessor stream5_global: track_tcp yes, \
          track_udp no, \
          track_icmp no, \
          max_tcp 262144, \
          max_udp 131072
       preprocessor stream5_tcp: policy windows, detect_anomalies

       alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1;
 metadata: rule-type preproc ; )

       output alert_fast: stdout

Output:
       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/keepalive.pcap 2>&1 | grep '129:'
       07/22-14:16:03.787282  [**] [129:14:1] TCP Timestamp is missing
[**]  [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666
       07/22-14:16:13.787173  [**] [129:14:1] TCP Timestamp is missing
[**]  [Priority: 0] {TCP} 192.168.173.51:52185 -> 192.168.173.50:6666

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
       07/22-14:18:45.965624  [**] [129:14:1] TCP Timestamp is missing
[**]  [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666
       07/22-14:18:55.965523  [**] [129:14:1] TCP Timestamp is missing
[**]  [Priority: 0] {TCP} 192.168.173.51:52179 -> 192.168.173.51:6666

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/keepalive3.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
       08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing
[**]  [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705



Output with patched version:
       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/keepalive.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/keepalive2.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/keepalive3.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir /lib/daq/
-r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
       08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is missing
[**]  [Priority: 0] {TCP} 192.168.173.1:6000 -> 192.168.173.153:33705


=> No alert on TCP Keep-Alive from BSD/Darwin.



Best regards,

Bram





------------------------------**------------------------------**----
This message was sent using IMP, the Internet Messaging Program.





------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: