Snort mailing list archives
Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush
From: hey <dnanar () gmail com>
Date: Fri, 16 Dec 2016 10:58:14 +0000
Thanks for the reply and the RFC. The issue affects snort 2.9.9.0 too. The one-line patch below makes PAF skip urgent data, please let me know if you see any problem with it. Thanks, ----------------- From: "Pierre Nicolas-Nicolaz, Future Systems" Date: Fri, 16 Dec 2016 10:33:24 +0000 Subject: [PATCH] Make PAF skip urgent data --- src/preprocessors/Stream6/snort_stream_tcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/preprocessors/Stream6/snort_stream_tcp.c b/src/preprocessors/Stream6/snort_stream_tcp.c index 1280d1e..e18b628 100644 --- a/src/preprocessors/Stream6/snort_stream_tcp.c +++ b/src/preprocessors/Stream6/snort_stream_tcp.c @@ -9753,7 +9753,7 @@ static inline uint32_t flush_pdu_ips ( StreamTcpConfig *config, TcpSession *ssn, wire_packet = pkt; flush_policy_for_dir = trk->flush_mgr.flush_policy; flush_pt = s5_paf_check( config->paf_config, &trk->paf_state, ssn->scb, - seg->payload, size, total, seg->seq, srv_port, + seg->payload+seg->urg_offset, size, total, seg->seq, srv_port, flags, trk->flush_mgr.flush_pt); if (*flags & PKT_PURGE) { -- 2.9.3 On Tue, Dec 13, 2016 at 10:31 AM, Russ <rucombs () cisco com> wrote:
Thanks for raising the issue. Snort does some target-based handling of urgent data and we should ensure that PAF skips any urgent data that will not be flushed. Urgent data is in general an unreliable mechanism and inline deployments should enable normalization to scrub the urgent pointer and offset. See RFC 6093 for a summary of the issues with the implementation of the TCP urgent mechanism. https://tools.ietf.org/html/rfc6093 On 12/12/16 11:14 PM, hey wrote: Hi, While doing some testing with Snort, I noticed that Stream with PAF sends the urgent data part of a TCP segment to HTTPInspect finite state machine. For example, if the urgent pointer is set to 1 and if the urgent data is "odd" (e.g. 0x00) HTTPInspect will fail and flushing won't happen as desired; but if urgent data is "ok" (e.g. 0x41 'A') flushing will be fine. This is a bit problematic with some configurations ignoring urgent data (AFAIK at least Apache on top of Linux does that). If snort is inline and if we want to drop the malicious packet, the flushing will only happen when snort sees a RST packet (thus we just see a snort alert later and the malicious packet has not been dropped). It wouldn't be too complicated to make HTTPInspect skip the urgent data, or to make a new HTTPInspect configuration option to choose to skip or not the data. I'm curious to know why it hasn't been done (if I misunderstood something). On a broader scope, I'm interested in how Snort deals with urgent data. Is there any particular technique/configuration recommendation? I'm aware of papers such as [1] and [2] but I'm curious to know if there is anything that goes deeper for the URG flag. Thanks, [1] Novak, Judy, and Steve Sturges. "Target-Based TCP Stream Reassembly." [2] Novak, Judy, and Steve Sturges. "Target-Based TCP Timestamp Stream Reassembly." ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush hey (Dec 12)
- Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush Russ (Dec 13)
- Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush hey (Dec 16)
- Re: TCP Urgent data causes HTTPInspect to fail and prevents PAF to flush Russ (Dec 13)