Re: Randomness in Snort engine

["Tom Peters (thopeter)" <thopeter () cisco com>]

HS,

The -H flag suppresses this random behavior as well as random hashing. It is useful for regression testing. You might 
want to retry your experiment and see if the variation stops.

Tom


From: Thomas Peters <thopeter () cisco com<mailto:thopeter () cisco com>>
Date: Friday, September 12, 2014 10:46 AM
To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>>
Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: Re: [Snort-devel] Randomness in Snort engine

HS,

I have no idea why the increment feature was added. Quite likely it was just a precaution.

Tom


From: Hyunseok <hyunseok () ieee org<mailto:hyunseok () ieee org>>
Reply-To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>>
Date: Thursday, September 11, 2014 4:22 PM
To: Thomas Peters <thopeter () cisco com<mailto:thopeter () cisco com>>
Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: Re: [Snort-devel] Randomness in Snort engine

Tom,

Thanks.  It makes sense now.

"prevent the seams between message pieces from falling in predictable places that might be exploited to hide something 
from detection."

Is this a known attack?  If so, could you share more information about it (e.g., url)?

Thanks again for taking the time to respond.

Regards,
-HS


On Thu, Sep 11, 2014 at 4:16 PM, Tom Peters (thopeter) <thopeter () cisco com<mailto:thopeter () cisco com>> wrote:
Hi,

Are you saying that Snort assembles MTU-size tcpdump-captured packets to construct a large HTTP message body, and then 
re-chops it into a slightly varying number of "Packet"s which are then injected into SnortHttpInspect(Packet *p)?

Yes, that is the general idea. TCP reassembly converts the IP packets into a stream of data. An entire large HTTP 
message body cannot be reconstructed because it would occupy too much memory and be unwieldy to process. Every 
16384-ish octets the data stream is cut and the resulting block is converted into a pseudo-packet and forwarded to 
HttpInspect for processing. The "-ish" is the random increment.

Tom


From: Hyunseok <hyunseok () ieee org<mailto:hyunseok () ieee org>>
Reply-To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>>
Date: Thursday, September 11, 2014 2:47 PM
To: Thomas Peters <thopeter () cisco com<mailto:thopeter () cisco com>>
Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: Re: [Snort-devel] Randomness in Snort engine

Thanks for your reply.

It's true that the "total packets processed" that I showed earlier indeed pkt-count stats under "HTTP Inspect" section.

However, I am not sure if I fully understand the symptom.

I see that the packet counter is incremented in SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p).

Are you saying that Snort assembles MTU-size tcpdump-captured packets to construct a large HTTP message body, and then 
re-chops it into a slightly varying number of "Packet"s which are then injected into SnortHttpInspect(Packet *p)?

Sorry, I am new to Snort.

Regards,
-HS



On Thu, Sep 11, 2014 at 2:14 PM, Tom Peters (thopeter) <thopeter () cisco com<mailto:thopeter () cisco com>> wrote:
Hi,

A possible explanation for your results.

Snort divides up very large protocol messages (e.g. HTTP message body) into pieces for processing. There is a small 
random increment added to the piece size that may vary between runs. It's purpose is to prevent the seams between 
message pieces from falling in predictable places that might be exploited to hide something from detection.

Over a very long run this jitter in the packet boundaries might add up to a slightly different number of packets.

Tom


From: Hyunseok <hyunseok () ieee org<mailto:hyunseok () ieee org>>
Reply-To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>>
Date: Thursday, September 11, 2014 12:33 PM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] Randomness in Snort engine

Hi,

I have one question about Snort.

I was running Snort in offline mode by feeding a tcpdump packet trace to it.

I expected that Snort analysis result would be identical when I re-run Snort multiple times with the same packet trace.

However, I noticed that the the total packets processed is slightly different across different runs, which affects 
other analysis results.

result.0:    Total packets processed:              230718
result.1:    Total packets processed:              230720
result.2:    Total packets processed:              230722
result.3:    Total packets processed:              230721

Do you guys have any idea where this slight randomness comes from in Snort?

I'm using the default snort configuration with default rule sets.

This question might be user-oriented, but I thought developers may have a better idea on the root cause.

Thanks,
-HS



------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!