Snort mailing list archives
Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush
From: Russ <rucombs () cisco com>
Date: Tue, 13 Dec 2016 05:31:13 -0500
Thanks for raising the issue. Snort does some target-based handling of urgent data and we should ensure that PAF skips any urgent data that will not be flushed. Urgent data is in general an unreliable mechanism and inline deployments should enable normalization to scrub the urgent pointer and offset. See RFC 6093 for a summary of the issues with the implementation of the TCP urgent mechanism.
https://tools.ietf.org/html/rfc6093 On 12/12/16 11:14 PM, hey wrote:
Hi,While doing some testing with Snort, I noticed that Stream with PAF sends the urgent data part of a TCP segment to HTTPInspect finite state machine.For example, if the urgent pointer is set to 1 and if the urgent data is "odd" (e.g. 0x00) HTTPInspect will fail and flushing won't happen as desired; but if urgent data is "ok" (e.g. 0x41 'A') flushing will be fine.This is a bit problematic with some configurations ignoring urgent data (AFAIK at least Apache on top of Linux does that). If snort is inline and if we want to drop the malicious packet, the flushing will only happen when snort sees a RST packet (thus we just see a snort alert later and the malicious packet has not been dropped).It wouldn't be too complicated to make HTTPInspect skip the urgent data, or to make a new HTTPInspect configuration option to choose to skip or not the data. I'm curious to know why it hasn't been done (if I misunderstood something).On a broader scope, I'm interested in how Snort deals with urgent data. Is there any particular technique/configuration recommendation? I'm aware of papers such as [1] and [2] but I'm curious to know if there is anything that goes deeper for the URG flag.Thanks, [1] Novak, Judy, and Steve Sturges. "Target-Based TCP Stream Reassembly."[2] Novak, Judy, and Steve Sturges. "Target-Based TCP Timestamp Stream Reassembly."------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush hey (Dec 12)
- Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush Russ (Dec 13)