Home page logo
/

snort logo Snort mailing list archives

Re: HTTP Reassembly issue PAF enabled
From: Hui Cao <hcao () sourcefire com>
Date: Wed, 3 Apr 2013 14:37:52 -0400

Hi Parmendra,

Thanks for reporting this issue. We have fixed some unified2 issue in
2.9.4.5 (just released). Let us know whether this solves your issue.
Also, we have additional fixes in the future release.

In general, if snort alerts on a reassembled packet, it will log the
raw packets which triggers the flushing. PAF will impact on flushing.

Best,
Hui.

On Tue, Apr 2, 2013 at 6:38 PM, Parmendra Pratap
<parmendra.pratap () yahoo com> wrote:
Hi

I have been looking into snort lately for IDS and network data analysis
needs at work.
Looks like have uncovered an issue with PAF enabled reassembly of HTTP data
or may be perhaps in the alert plugins.
Any input is well appreciated.

Apparently with PAF enabled the HTTP specific checks fire off only on the
receipt of subsequent ACK packet even if the HTTP PDU data fits completely
in the current packet.
With PAF disabled the issue seems to correct itself.
Looking at the code in snort_httpinspect.c , it appears that HTTP specific
processing is short circuited due to the following check

#ifdef ENABLE_PAF
    if ( ScPafEnabled() &&
        (p->packet_flags & PKT_STREAM_INSERT) &&

        !PacketHasFullPDU(p) )
PacketHasFullPDU(p) only evaluates true on receipt of subsequent ACK even if
the current packet does hold the complete PDU.

Steps to replicate:
Below is a rule to print alert on receipt of  GET HTTP requests.
custom_log tcp any any <> any 80 (msg:"DUMP"; content:"GET"; http_method;
sid:1000001;rev:1)
ruletype custom_log {
 type  alert
 output alert_full
 output log_tcpdump: log_alert.csv.dump
}

Try any curl/wget request now.

Test 1 -(PAF enabled)
Log from alert_full with paf_max = 16000
[Priority: 0]
04/02-22:59:33.414512 10.0.144.XXX:2228 -> 10.8.XX.XX
TCP TTL:64 TOS:0x0 ID:23556 IpLen:20 DgmLen:443 DF
***A**** Seq: 0x88CC7A97  Ack: 0x504A44DD  Win: 0x3CB8  TcpLen: 20

Test 2 -(PAF disabled)
Log from alert_full with paf_max = 0
[**] [1:1000001:1] DUMP [**]
[Priority: 0]
04/02-23:09:35.761077 10.0.XX.XX:2286 -> 10.8.XX.XX
   TCP TTL:122 TOS:0x0 ID:52317 IpLen:20 DgmLen:443 DF
    ***AP*** Seq: 0xDB1E4DB7  Ack: 0x66F537C3  Win: 0xFFFF  TcpLen: 20

Close look will reveal that the TCP headers are different - A vs AP.
TCP dump and wireshark capture confirms that Test 2 results are correct
whereas Test 1 is showing incorrect TCP data in the alert log.

Thanks
PP






------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault