Snort mailing list archives
Re: Randomness in Snort engine
From: "Tom Peters (thopeter)" <thopeter () cisco com>
Date: Fri, 12 Sep 2014 15:17:19 +0000
HS, The -H flag suppresses this random behavior as well as random hashing. It is useful for regression testing. You might want to retry your experiment and see if the variation stops. Tom From: Thomas Peters <thopeter () cisco com<mailto:thopeter () cisco com>> Date: Friday, September 12, 2014 10:46 AM To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>> Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: Re: [Snort-devel] Randomness in Snort engine HS, I have no idea why the increment feature was added. Quite likely it was just a precaution. Tom From: Hyunseok <hyunseok () ieee org<mailto:hyunseok () ieee org>> Reply-To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>> Date: Thursday, September 11, 2014 4:22 PM To: Thomas Peters <thopeter () cisco com<mailto:thopeter () cisco com>> Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: Re: [Snort-devel] Randomness in Snort engine Tom, Thanks. It makes sense now. "prevent the seams between message pieces from falling in predictable places that might be exploited to hide something from detection." Is this a known attack? If so, could you share more information about it (e.g., url)? Thanks again for taking the time to respond. Regards, -HS On Thu, Sep 11, 2014 at 4:16 PM, Tom Peters (thopeter) <thopeter () cisco com<mailto:thopeter () cisco com>> wrote: Hi, Are you saying that Snort assembles MTU-size tcpdump-captured packets to construct a large HTTP message body, and then re-chops it into a slightly varying number of "Packet"s which are then injected into SnortHttpInspect(Packet *p)? Yes, that is the general idea. TCP reassembly converts the IP packets into a stream of data. An entire large HTTP message body cannot be reconstructed because it would occupy too much memory and be unwieldy to process. Every 16384-ish octets the data stream is cut and the resulting block is converted into a pseudo-packet and forwarded to HttpInspect for processing. The "-ish" is the random increment. Tom From: Hyunseok <hyunseok () ieee org<mailto:hyunseok () ieee org>> Reply-To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>> Date: Thursday, September 11, 2014 2:47 PM To: Thomas Peters <thopeter () cisco com<mailto:thopeter () cisco com>> Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: Re: [Snort-devel] Randomness in Snort engine Thanks for your reply. It's true that the "total packets processed" that I showed earlier indeed pkt-count stats under "HTTP Inspect" section. However, I am not sure if I fully understand the symptom. I see that the packet counter is incremented in SnortHttpInspect(HTTPINSPECT_GLOBAL_CONF *GlobalConf, Packet *p). Are you saying that Snort assembles MTU-size tcpdump-captured packets to construct a large HTTP message body, and then re-chops it into a slightly varying number of "Packet"s which are then injected into SnortHttpInspect(Packet *p)? Sorry, I am new to Snort. Regards, -HS On Thu, Sep 11, 2014 at 2:14 PM, Tom Peters (thopeter) <thopeter () cisco com<mailto:thopeter () cisco com>> wrote: Hi, A possible explanation for your results. Snort divides up very large protocol messages (e.g. HTTP message body) into pieces for processing. There is a small random increment added to the piece size that may vary between runs. It's purpose is to prevent the seams between message pieces from falling in predictable places that might be exploited to hide something from detection. Over a very long run this jitter in the packet boundaries might add up to a slightly different number of packets. Tom From: Hyunseok <hyunseok () ieee org<mailto:hyunseok () ieee org>> Reply-To: "hyunseok () ieee org<mailto:hyunseok () ieee org>" <hyunseok () ieee org<mailto:hyunseok () ieee org>> Date: Thursday, September 11, 2014 12:33 PM To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: [Snort-devel] Randomness in Snort engine Hi, I have one question about Snort. I was running Snort in offline mode by feeding a tcpdump packet trace to it. I expected that Snort analysis result would be identical when I re-run Snort multiple times with the same packet trace. However, I noticed that the the total packets processed is slightly different across different runs, which affects other analysis results. result.0: Total packets processed: 230718 result.1: Total packets processed: 230720 result.2: Total packets processed: 230722 result.3: Total packets processed: 230721 Do you guys have any idea where this slight randomness comes from in Snort? I'm using the default snort configuration with default rule sets. This question might be user-oriented, but I thought developers may have a better idea on the root cause. Thanks, -HS
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Randomness in Snort engine Hyunseok (Sep 11)
- Fwd: Randomness in Snort engine Hyunseok (Sep 11)
- Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 11)
- Re: Randomness in Snort engine Hyunseok (Sep 11)
- Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 11)
- Re: Randomness in Snort engine Hyunseok (Sep 11)
- Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 12)
- Re: Randomness in Snort engine Tom Peters (thopeter) (Sep 12)
- Re: Randomness in Snort engine Hyunseok (Sep 12)
- Re: Randomness in Snort engine Hyunseok (Sep 11)