Snort mailing list archives
stream4 reassembly oddity
From: "mark smith" <markcs () wildmail com>
Date: Fri, 7 Jan 2005 13:37:46 +1000
Hi, I'm writing a preprocessor to detect novel worm propagation and I'm basing it on stream4's ability to reassemble streams of sessions. During some testing of how stream4 handles stream reassembly of some Code Red (CR) traffic I've noticed something that seems a bit odd. The CR client sends the attack payload in 3 packets, each one of which is ACKed by the server. The server then sends a 4 byte packet to the client with just the payload "GET <CR/LF>" then nothing else for that session. Following this the newly infected web server starts new sessions, random SYN scanning for new vulnerable hosts but doesn't play nice and FINalise the session. The stream pp reassembles the first 2 attack packets into an uberpacket just fine but never flushes the 3rd attack packet. It seems that the stream pp is waiting for some sort of session termination to occur before flushing the final attack payload packet. I've tried setting the session timeout configuration option to be 15 seconds (which is recognised by snort as seen by the "Session timeout: 15 seconds" message at startup) but it doesn't seem to make any difference. Anyone have any bright ideas so I can avoid wading through the source of stream pp? Thanks, Mark. The ideals which have lighted my way, and time after time given me new courage to face life cheerfully, have been kindness, beauty, and truth. The trite subjects of life - possessions, outward success, luxury - have always seemed contemptible. Albert Einstein ------------------ Support Care2 Email: 1,400 whales may be killed this year. Take action! http://www.care2.com/go/z/17954 ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4 reassembly oddity mark smith (Jan 07)
- Re: stream4 reassembly oddity Jeremy Hewlett (Jan 07)