Snort mailing list archives

Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin

From: Bram <bram-fabeg () mail wizbit be>
Date: Tue, 20 Aug 2013 09:43:56 +0200

Hi,


Was this message taken into consideration? (I received no reply on it?)

Even if the code is left unchanged it seems appropriate to mention  
this in the documentation of the '129-14' rule.. (speaking of which:  
it seems documentation for '129:14' is missing?)


Best regards,

Bram

Quoting Bram <bram-fabeg () mail wizbit be>:

Hi,


The TCP implementation on *BSD (and by extension on Darwin) appears  
to  contain a bug:
When the TCP session is idle then it sends a 'TCP Keep-Alive' packet  
 to determine if the connection still exists.
This is expected.

However: the 'TCP Keep-Alive' packet does not have the timestamp  
options set..
This causes snort to generate the alert 'STREAM5_NO_TIMESTAMP'.

While the event is correct it is a bit undesirable since this makes  
it  difficult to see unexplained anomalies/actual 'problems.

Attached is a patch which detects the 'TCP KeepAlive' packets send  
by  BSD/Darwin and prevents the alert from being generated.
I'm not sure if the 'TCP KeepAlive' packet should be ignored by   
default.. perhaps it's better to add a config options for it?

Also: when *BSD/Darwin sends an ack on a 'TCP Keep-Alive' packet  
then  it does appear to include the timestamp.

(This was detected due to a PPTP client being connected from a Mac -  
 tcp idle -> keep alives send)


Attached are four dumps:
* keepalive.pcap: connection between NetBSD and Linux (NetBSD  
sending  Keep-Alive)
* keepalive2.pcap: connection between NetBSD and NetBSD
* keepalive4.pcap: connection between Linux and NetBSD host (Linux   
sending Keep-Alive)
* no_timestamp.pcap: tcp session created using raw sockets



Configuration file used:
       config checksum_mode: all
       dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
       preprocessor stream5_global: track_tcp yes, \
          track_udp no, \
          track_icmp no, \
          max_tcp 262144, \
          max_udp 131072
       preprocessor stream5_tcp: policy windows, detect_anomalies

       alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev:  
1;  metadata: rule-type preproc ; )

       output alert_fast: stdout

Output:
       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/keepalive.pcap 2>&1 | grep '129:'
       07/22-14:16:03.787282  [**] [129:14:1] TCP Timestamp is  
missing [**]  [Priority: 0] {TCP} 192.168.173.51:52185 ->  
192.168.173.50:6666
       07/22-14:16:13.787173  [**] [129:14:1] TCP Timestamp is  
missing [**]  [Priority: 0] {TCP} 192.168.173.51:52185 ->  
192.168.173.50:6666

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'
       07/22-14:18:45.965624  [**] [129:14:1] TCP Timestamp is  
missing [**]  [Priority: 0] {TCP} 192.168.173.51:52179 ->  
192.168.173.51:6666
       07/22-14:18:55.965523  [**] [129:14:1] TCP Timestamp is  
missing [**]  [Priority: 0] {TCP} 192.168.173.51:52179 ->  
192.168.173.51:6666

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
       08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is  
missing [**]  [Priority: 0] {TCP} 192.168.173.1:6000 ->  
192.168.173.153:33705



Output with patched version:
       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/keepalive.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/keepalive2.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/keepalive3.pcap 2>&1 | grep '129:'

       $ snort -v -l /var/log -c /etc/ips/snort.conf --daq-dir  
/lib/daq/ -r  /tmp/no_timestamp.pcap 2>&1 | grep '129:'
       08/01-16:33:02.253871  [**] [129:14:1] TCP Timestamp is  
missing [**]  [Priority: 0] {TCP} 192.168.173.1:6000 ->  
192.168.173.153:33705


=> No alert on TCP Keep-Alive from BSD/Darwin.



Best regards,

Bram




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Bram (Aug 01)
- Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Bram (Aug 20)
  - Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Russ Combs (Aug 20)
    - Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Russ Combs (Aug 20)
  - Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Joel Esler (Aug 20)
    - Re: stream5 preprocessor: 'STREAM5_NO_TIMESTAMP' alert in combination with TCP Keep-Alives from BSD/Darwin Russ Combs (Aug 22)