[Snort-users] Question on stream4 preprocessor
This is a discussion on [Snort-users] Question on stream4 preprocessor within the Snort forums, part of the System Security and Security Related category; Hey everyone, Let's say an exploit is sent from one host to another, one byte at a time. It'...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-28-2004
|
|||
|
|||
[Snort-users] Question on stream4 preprocessor
Hey everyone,
Let's say an exploit is sent from one host to another, one byte at a time. It's the stream4_reassemble preprocessor's job to reassemble each byte of that session into its intended form, and pass that down to the detection engine. From there the exploit attempt should be detected by snort. I've tested this, and it works of course. Here's my question though. As each packet is sent over the wire snort picks it up one packet at a time. Each packet along the stream is sent to the detection engine as well. If one of these packets triggers an alert, what is supposed to happen? From what I've read, it looks to me like there should be an alert generated for that packet, as well as the entire stream once the session is reassembled by stream4. In practice though, I've noticed some different behavior. In testing Nessus's Injection TCP NIDS evasion feature, I've notcied some inconsistencies in Snort's reactions. I'm testing this using the Apache Chunked encodiing vulnerability plugin. Utilizing the Injection method, Nessus will send the exploit to the webserver one character at a time (ie G in one packet, E in the next, T in another, etc) along with garbage packets in between. Snort will alert on any of the valid packets that only contain a '.' or |20| as a libwhisker space splicing attempt. It will not however send any alerts regarding the Chunked Encoding vulnerability. At first I questioned stream4, but if I disable the libwhisker rule, stream4 reassembles the packet just fine, and an alert is issued for the chunked encoding vulnerability. Shouldn't two alerts be issued though? One for the libwhisker attempt, and once the stream is reassembled, one for the chunked encoding vulnerability? ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
