Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Snort-users] Snort DoS Fallacies
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 13 Sep 2005 17:36:46 -0400

Hash: SHA1

Ok, let's see if we can kill the "analysis" and random speculation dead with this thread.

Comments inline:

On Sep 13, 2005, at 10:47 AM, Ferguson, Justin (IARC) wrote:

First, if we are using the option -A fast:

134 AlertFast()
146 if(msg != NULL)
147 {
208 if(p && data->packet_flag)
209 {
210 fputc('\n', data->file);
212 if(p->iph)
213 PrintIPPkt(data->file, p->iph->ip_proto, p);

That's not right. This will only happen if you give Snort a config directive in the snort.conf file with a specific argument. You didn't bother to check where the data->packet_flag is set, when you specify fast as a command line option the alerting plugin is automatically loaded with a NULL argument string. Here's the config line you need to make it happen:

output alert_fast: packet

I've never seen anyone configure their system like that, although I'm sure someone must have or else the code wouldn't be there (it basically recreates "Full" mode and loses purpose of "Fast" mode). Regardless, it's not the default and not accessible from the command line.
Second, if we are logging in ASCII mode (a lot of people):
If "a lot of people" are logging in ASCII mode then nobody is reading the docs, the books, the mailing list archives or thinking about how ASCII mode logging works with real file systems. If you do this there's another DoS waiting for you in your future, the one where the ASCII logging system exhausts your filesystem's inodes. If you read the mailing list archives from the last several years you'll see it come up from time to time, I think there's even a FAQ entry for it, not to mention info in the various config guides on not DoS'ing yourself. For the record, NO PRODUCTION SNORT DEPLOYMENT SHOULD EVER (EVER!!!) RUN WITH ASCII LOGGING!!! Everyone should be using unified, database or binary (pcap) logging for production sensors, period end of story. ASCII logging is suitable only for testing and lab environments, that's it.
Also, in the frag3 preprocessor, also I'm not sure what the point of defining DEBUG_FRAG3 at compile time would be (at least in this code segment), as the execution flow is exactly the same: It can also be called in the stream4 preprocessor, if a few debugging conditions are met:

That's debug code there, we (developers) only enable that when we're testing stuff out. If you turn on all Snort's debug code you aren't running an IDS anymore, you're running chargen. :) It's in there for when developers need to "lift the hood" on Snort to figure out what's happening behind the scenes. No production sensor should ever be deployed with debug code enabled (unless you're debugging code, but then that's no longer a production sensor, QED).
Additionally, as the second part of the misrepresentation of data, there is several bugs in PrintTCPOptions(), which is apparent by the changes they made-- these include nearly all of the TCP options, not just SACK. These include the following options:

TCPOPT_TIMESTAMP, TCPOPT_CC, TCPOPT_CCNEW, TCPOPT_CCECHO, and _any_ unrecognized or invalid option.

Actually, if you had done the research you would have seen that this DoS condition doesn't work for:
or _any_ unrecognized or invalid option.

While we were cleaning up the code for the SACK problem we thought we'd make sure that there could never be another NULL ptr dereference in that code. Whether or not these are "bugs" (as you term them) is open to interpretation because they don't look like you can exercise them, but they certainly weren't as solid as they could have been so we cleaned them up.
However, the snort team did say one thing correctly, and that these all are NULL pointer dereferences, and therefore only a DoS and not exploitable to run arbitrary code.
Wow, we did almost as well as you!!

BTW, you missed that we also call PrintTCPHeader in spo_alert_full.c, which is actually done in the default config case, so this is something you might want to worry about if you're using full alerting for whatever reason. For the record, the recommended alerting modes for a production sensor are unified, syslog or database.

I *strongly* recommend that people use unified logging/alerting for the foreseeable future, this is The Right Way (and the high performance way) to run a Snort sensor.

So, to summarize, there's an additional problem if you're using ASCII mode logging, but if you've been running Snort for any time you should know never to do that on a production sensor. There is an actual real live issue if you run with Full-mode alerting, but you should typically be using a more robust alerting mode for production sensors anyway. If you're the one person on the planet that's running Fast-mode alerting with the 'packet' config option turned on, you should probably just switch to Full and get it over with since they're effectively the same thing. There are no additional TCP Options processing that have this issue at this time that I'm aware of, if anyone knows otherwise please feel free to submit a report to me or snort-team () sourcefire com

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Version: GnuPG v1.4.1 (Darwin)


  By Date           By Thread  

Current thread:
  • Re: [Snort-users] Snort DoS Fallacies Martin Roesch (Sep 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]