Ticket #8 (assigned defect)

Opened 11 years ago

Last modified 11 years ago

snort_inline does not drop packets that require reassembly

Reported by: rmcmillen Owned by: rmcmillen
Priority: major Milestone: roo-1.5
Component: Honeywall Version: 1.4b3
Keywords: Cc:

Description

In order for snort_inline to drop packets that require reassembly, it needs to see both sides of the communications. Currently, the honeywall only sends outbound traffic via snort_inline.

1. add this to snort_inline.conf: preprocessor stream4: disable_evation_alerts enforce_state 2. Send inbound traffic via the QUEUE.

Change History

Changed 11 years ago by rmcmillen

  • owner changed from [email protected] to rmcmillen
  • status changed from new to assigned

Changed 11 years ago by david

  • milestone set to roo-1.4

Changed 11 years ago by rmcmillen

  • version changed from 1.4b2 to 1.4b3
  • milestone changed from roo-1.4 to roo-1.5

Changed 11 years ago by rmcmillen

FYI

When I make all traffic flow through snort_inline, services like SSH become unavailable with the current ruleset. I found the following rule to be the culprit for my ssh service, and there could be more like this that affect other services:

alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; replace:"|37 86 0D AA|"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; reference:nessus,15822; classtype:misc-attack; sid:1838; rev:9;)

This is an alert that looks through the packets for the content "SSH-". This is part of the ssh protocol, and will be seen in every ssh session. The problem resides with the combination of the content, replace, and pcre keywords. The way snort_inline works, it replaces the contents when the content value is found. It does not take the pcre value into account. Without the replace keyword in the rule, snort would match based on the content, but would not trigger an alert unless the pcre also matched. Ideally, replace would not replace unless both the content and pcre matched.

I've also been talking to Will Metcalf, current maintainer of snort_inline, and he does not recommend blindly converting as many rules as possible to use replace. FYI, snort_inline does not maintain a set of snort_inline rules.

Will has also told me to not use replace in rules that contain the keyword flowbits:noalert because they are used in protocol identification/behavior, and are later checked in separate rules that alert/drop.

Note: See TracTickets for help on using tickets.