Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Evasion Due to Multiple Instances of SPAN Traffic

from [Benjamin Small] Network Security [Permanent Link]
Subject: [Snort-users] Evasion Due to Multiple Instances of SPAN Traffic
Date: Thu, 28 Jun 2007 16:16:54 -0400 
Hello,

While working with Snort 2.6.1.5 I noticed a situation where snort was
inadvertently being evaded.
I have narrowed the root cause down to the stream4 preprocessor. When
reassembling both to_client
and to_server streams, it appears that duplicating certain packets causes
snort to miss an attack.
I demonstrate this in an attack where I attempt an /etc/passwd grab. None of
the attacker's packets
are duplicated, but I send three instances of the first response from the
server containing a payload
(and only the first packet with payload seems to matter). Oddly enough, if
you read the pcap as a file
"snort -r evaded.pcap", Snort fires. However, if snort is reading this
traffic from an interface it misses
the attack. To test this I used tcpreplay on a separate host.

This becomes a potential problem in IDS setups where traffic is being SPAN'd
to a monitoring interface
more than once. Since this can potentially cause every attack against an
application that utilizes TCP
to be missed, I wanted to bring this to the community's attention. This is
more common in environments
where complex SPAN sessions are used to relay data from multiple sources to
an IDS for monitoring.

I am attaching a pcap and the configuration used in my test. Disabling the
stream4 preprocessor or
setting the "noinspect" option prevents the IDS from missing the attack. The
pcap contains a series of
12 unique packets. The 8th unique packet is replicated twice, resulting in
three instances of the initial
response from the webserver after the attempted /etc/passwd grab. I only
replicated this packet since
after trying different variations of duplicating other packets, it appears
this packet was key for missing
the attack. I have attached a spreadsheet containing data surrounding my
tests. Each column contains
the number of times each packet in the sequence was transmitted.

Regards,
Benjamin Small

Attachment: evaded.pcap
Description: application/cap

Attachment: evaded.conf
Description: Binary data

Attachment: SnortEvadedSeq.ods
Description: application/vnd.oasis.opendocument.spreadsheet

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Evasion Due to Multiple Instances of SPAN Traffic, Benjamin Small <=
Previous by Date:  Re: [Snort-users] Rules to block FT, Atkins, Dwane P
Next by Date:  [Snort-users] Cannot get the sensors table to fill in., Louis Bohm
Previous by Thread:  [Snort-users] Mike Potamousis/Poughkeepsie/Contr/IBM is out of the office., Mike Potamousis
Next by Thread:  [Snort-users] Cannot get the sensors table to fill in., Louis Bohm
Indexes:  [Date] [Thread] [Top] [All Lists]