Snort mailing list archives

Re: Trying to use snort with TALOS-2016-0219

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 29 Nov 2016 23:16:20 +0000

http://blog.snort.org/2016/08/running-snort-on-commodity-hardware.html

May help..


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Nov 29, 2016, at 3:04 PM, Patrick Mullen <pmullen () sourcefire com<mailto:pmullen () sourcefire com>> wrote:

What you're describing isn't a snort problem.  It's the Operating System.  Look up "disabling TCP Checksum Offloading" 
for how to do it with your OS.  It's what happens when you run your capturing software on either the generating or 
receiving device, as opposed to a third party, using modern networking hardware and operating systems.

If you want, for testing purposes, you can run snort with "-k none" to ignore tcp checksums (keeping in mind that you 
don't want to do this for actual packet captures as it opens you up to evasions as described before), or you can fix 
the checksums in the pcap after the fact using tcprewrite, which is what I do and is The Right Thing To Do (TM).

My tcpfix.sh script fixes tcp and udp checksums and stores the updated pcap to the a new pcap with "-fixed" in the name.

$ cat ~/bin/tcpfix.sh
#!/bin/bash
FILE=$1
NEWFILE=`echo -n $FILE | sed 's/\.pcap$/-fixed.pcap/'`
tcprewrite --fixcsum -i $FILE -o $NEWFILE


Thanks,

~Patrick



On Mon, Nov 28, 2016 at 8:51 PM, Yuri Niyazov <yuri () academia edu<mailto:yuri () academia edu>> wrote:
Thank you very much for your help. After I included the correct filter, it still didn't work. I then noticed that all 
the outgoing packets in the new capture file had bad checksums; I disabled NIC-level checksumming ("ethtool -K eth0 
tx-checksum-ip-generic off") and did another capture, which worked fine without disabling snort-level checksumming.

Is there a way to tell snort, while capturing, to properly calculate checksums for packets that are outgoing from the 
machine? "-k all" didn't seem to do it.

On Mon, Nov 28, 2016 at 1:03 PM, Patrick Mullen <pmullen () sourcefire com<mailto:pmullen () sourcefire com>> wrote:
Yuri,

By "asymmetric," Joel means your pcap is broken.  :)  Your "works" config modified snort such that it ignores the fact 
that it can only see half of the traffic.  Please note that while this configuration means you did alert in this 
situation, in the long run it opens you up to evasions and other issues so it's not an ideal solution.

I suspect that when you created your pcap, you probably did a filter like "dst host 162.243.66.145 and port 11211", 
which filtered out return traffic from that host.  If you instead used the filter "host 162.243.66.145 and port 11211", 
the host filter would be bidirectional (the ip could be the dst or src) so you should see the entire set of traffic and 
snort should alert for you without needing to change the configuration.


Thanks,

~Patrick


On Mon, Nov 28, 2016 at 11:17 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Your traffic is “asymmetric”.  This is why turning off stream makes it “work”.

Snort needs both sides of the traffic flow in order to process the traffic correctly.


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Nov 25, 2016, at 10:41 PM, Yuri Niyazov <yuri () academia edu<mailto:yuri () academia edu>> wrote:

Hi everyone,

  Snort newbie here. I am trying to detect the latest memcache vulnerabilities, 
http://www.talosintelligence.com/reports/TALOS-2016-0219/

Output of snort -V, as requested in the instructions for posting reports to this list:
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.3 GRE (Build 383)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

So, I have a packet capture that is the proof-of-concept exploit (code copy-pasted from the vulnerability 
announcement). That packet capture is attached. It is detected when I run "snort -c etc/works.conf -r 
/var/log/snort/memcachedump.1480128874", I get the text below in /var/log/snort/alert:

[**] [3:40474:2] SERVER-OTHER TRUFFLEHUNTER TALOS-CAN-0219 attack attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/26-02:54:44.674785 162.243.66.145:57162<http://162.243.66.145:57162/> -> 
162.243.91.201:11211<http://162.243.91.201:11211/>
TCP TTL:63 TOS:0x0 ID:47627 IpLen:20 DgmLen:1100 DF
***AP*** Seq: 0xF7EF58B0  Ack: 0x1E0819C9  Win: 0x1C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3334822 5964160
[Xref => http://www.talosintelligence.com/reports/TALOS-2016-0219]

However, when I run "snort -c etc/broken.conf -r /var/log/snort/memcachedump.1480128874" the alert doesn't happen

The difference between works.conf and broken.conf is that broken.conf includes the stream5_global, stream5_tcp and 
stream5_udp preprocessors as they are configured in the latest downloadable ruleset (these aren't the files I will end 
up using, these are just the smallest difference I was able to isolate between "working" and "not working").

Now, if I understand things correctly, the streaming preprocessor provides important functionality that shouldn't just 
be turned off blindly, so, the question is: what in that preprocessor configuration could be masking the memcached 
exploit?


--
Patrick Mullen
Response Research Manager
Cisco TALOS




--
Patrick Mullen
Response Research Manager
Cisco TALOS
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Trying to use snort with TALOS-2016-0219 Yuri Niyazov (Nov 25)
- Re: Trying to use snort with TALOS-2016-0219 Joel Esler (jesler) (Nov 28)
  - Re: Trying to use snort with TALOS-2016-0219 Patrick Mullen (Nov 28)
    - Re: Trying to use snort with TALOS-2016-0219 Yuri Niyazov (Nov 28)
    - Re: Trying to use snort with TALOS-2016-0219 Patrick Mullen (Nov 29)
    - Re: Trying to use snort with TALOS-2016-0219 Joel Esler (jesler) (Nov 29)