mailing list archives
Re: [Snort-users] Snort DoS Fallacies
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 13 Sep 2005 17:36:46 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Ok, let's see if we can kill the "analysis" and random speculation
dead with this thread.
On Sep 13, 2005, at 10:47 AM, Ferguson, Justin (IARC) wrote:
First, if we are using the option -A fast:
146 if(msg != NULL)
208 if(p && data->packet_flag)
210 fputc('\n', data->file);
213 PrintIPPkt(data->file, p->iph->ip_proto, p);
That's not right. This will only happen if you give Snort a config
directive in the snort.conf file with a specific argument. You
didn't bother to check where the data->packet_flag is set, when you
specify fast as a command line option the alerting plugin is
automatically loaded with a NULL argument string. Here's the config
line you need to make it happen:
output alert_fast: packet
I've never seen anyone configure their system like that, although I'm
sure someone must have or else the code wouldn't be there (it
basically recreates "Full" mode and loses purpose of "Fast" mode).
Regardless, it's not the default and not accessible from the command
If "a lot of people" are logging in ASCII mode then nobody is reading
the docs, the books, the mailing list archives or thinking about how
ASCII mode logging works with real file systems. If you do this
there's another DoS waiting for you in your future, the one where the
ASCII logging system exhausts your filesystem's inodes. If you read
the mailing list archives from the last several years you'll see it
come up from time to time, I think there's even a FAQ entry for it,
not to mention info in the various config guides on not DoS'ing
yourself. For the record, NO PRODUCTION SNORT DEPLOYMENT SHOULD EVER
(EVER!!!) RUN WITH ASCII LOGGING!!! Everyone should be using
unified, database or binary (pcap) logging for production sensors,
period end of story. ASCII logging is suitable only for testing and
lab environments, that's it.
Second, if we are logging in ASCII mode (a lot of people):
Also, in the frag3 preprocessor, also I'm not sure what the point
of defining DEBUG_FRAG3 at compile time would be (at least in this
code segment), as the execution flow is exactly the same:
It can also be called in the stream4 preprocessor, if a few
debugging conditions are met:
That's debug code there, we (developers) only enable that when we're
testing stuff out. If you turn on all Snort's debug code you aren't
running an IDS anymore, you're running chargen. :) It's in there for
when developers need to "lift the hood" on Snort to figure out what's
happening behind the scenes. No production sensor should ever be
deployed with debug code enabled (unless you're debugging code, but
then that's no longer a production sensor, QED).
Additionally, as the second part of the misrepresentation of data,
there is several bugs in PrintTCPOptions(), which is apparent by
the changes they made-- these include nearly all of the TCP
options, not just SACK. These include the following options:
TCPOPT_MAXSEG, TCPOPT_WSCALE, TCPOPT_ECHO, TCPOPT_ECHOREPLY,
TCPOPT_TIMESTAMP, TCPOPT_CC, TCPOPT_CCNEW, TCPOPT_CCECHO, and _any_
unrecognized or invalid option.
Actually, if you had done the research you would have seen that this
DoS condition doesn't work for:
or _any_ unrecognized or invalid option.
While we were cleaning up the code for the SACK problem we thought
we'd make sure that there could never be another NULL ptr dereference
in that code. Whether or not these are "bugs" (as you term them) is
open to interpretation because they don't look like you can exercise
them, but they certainly weren't as solid as they could have been so
we cleaned them up.
However, the snort team did say one thing correctly, and that these
all are NULL pointer dereferences, and therefore only a DoS and not
exploitable to run arbitrary code.
Wow, we did almost as well as you!!
BTW, you missed that we also call PrintTCPHeader in spo_alert_full.c,
which is actually done in the default config case, so this is
something you might want to worry about if you're using full alerting
for whatever reason. For the record, the recommended alerting modes
for a production sensor are unified, syslog or database.
I *strongly* recommend that people use unified logging/alerting for
the foreseeable future, this is The Right Way (and the high
performance way) to run a Snort sensor.
So, to summarize, there's an additional problem if you're using ASCII
mode logging, but if you've been running Snort for any time you
should know never to do that on a production sensor. There is an
actual real live issue if you run with Full-mode alerting, but you
should typically be using a more robust alerting mode for production
sensors anyway. If you're the one person on the planet that's
running Fast-mode alerting with the 'packet' config option turned on,
you should probably just switch to Full and get it over with since
they're effectively the same thing. There are no additional TCP
Options processing that have this issue at this time that I'm aware
of, if anyone knows otherwise please feel free to submit a report to
me or snort-team () sourcefire com
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
-----END PGP SIGNATURE-----
- Re: [Snort-users] Snort DoS Fallacies Martin Roesch (Sep 13)