Snort mailing list archives

Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush

From: hey <dnanar () gmail com>
Date: Fri, 16 Dec 2016 10:58:14 +0000

Thanks for the reply and the RFC.

The issue affects snort 2.9.9.0 too. The one-line patch below makes
PAF skip urgent data, please let me know if you see any problem with
it.


Thanks,

-----------------
From: "Pierre Nicolas-Nicolaz, Future Systems"
Date: Fri, 16 Dec 2016 10:33:24 +0000
Subject: [PATCH] Make PAF skip urgent data

---
 src/preprocessors/Stream6/snort_stream_tcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/preprocessors/Stream6/snort_stream_tcp.c
b/src/preprocessors/Stream6/snort_stream_tcp.c
index 1280d1e..e18b628 100644
--- a/src/preprocessors/Stream6/snort_stream_tcp.c
+++ b/src/preprocessors/Stream6/snort_stream_tcp.c
@@ -9753,7 +9753,7 @@ static inline uint32_t flush_pdu_ips (
StreamTcpConfig *config, TcpSession *ssn,
         wire_packet = pkt;
         flush_policy_for_dir = trk->flush_mgr.flush_policy;
         flush_pt = s5_paf_check( config->paf_config, &trk->paf_state, ssn->scb,
-                                 seg->payload, size, total, seg->seq, srv_port,
+                                 seg->payload+seg->urg_offset, size,
total, seg->seq, srv_port,
                                  flags, trk->flush_mgr.flush_pt);
         if (*flags & PKT_PURGE)
         {
-- 
2.9.3

On Tue, Dec 13, 2016 at 10:31 AM, Russ <rucombs () cisco com> wrote:

Thanks for raising the issue.  Snort does some target-based handling of
urgent data and we should ensure that PAF skips any urgent data that will
not be flushed.  Urgent data is in general an unreliable mechanism and
inline deployments should enable normalization to scrub the urgent pointer
and offset.  See RFC 6093 for a summary of the issues with the
implementation of the TCP urgent mechanism.

https://tools.ietf.org/html/rfc6093


On 12/12/16 11:14 PM, hey wrote:

Hi,


While doing some testing with Snort, I noticed that Stream with PAF sends
the urgent data part of a TCP segment to HTTPInspect finite state machine.

For example, if the urgent pointer is set to 1 and if the urgent data is
"odd" (e.g. 0x00) HTTPInspect will fail and flushing won't happen as
desired; but if urgent data is "ok" (e.g. 0x41 'A') flushing will be fine.

This is a bit problematic with some configurations ignoring urgent data
(AFAIK at least Apache on top of Linux does that). If snort is inline and if
we want to drop the malicious packet, the flushing will only happen when
snort sees a RST packet (thus we just see a snort alert later and the
malicious packet has not been dropped).


It wouldn't be too complicated to make HTTPInspect skip the urgent data, or
to make a new HTTPInspect configuration option to choose to skip or not the
data. I'm curious to know why it hasn't been done (if I misunderstood
something).

On a broader scope, I'm interested in how Snort deals with urgent data. Is
there any particular  technique/configuration recommendation? I'm aware of
papers such as [1] and [2] but I'm curious to know if there is anything that
goes deeper for the URG flag.


Thanks,



[1] Novak, Judy, and Steve Sturges. "Target-Based TCP Stream Reassembly."
[2] Novak, Judy, and Steve Sturges. "Target-Based TCP Timestamp Stream
Reassembly."


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot



_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush hey (Dec 12)
- Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush Russ (Dec 13)
  - Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush hey (Dec 16)
    - Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush Russ (Dec 16)