Snort Sniffer May Not Detect Certain Types of Packets in the Default Configuration
|
|
SecurityTracker Alert ID: 1006399 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 28 2003
|
Impact: Host/resource access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.9.1
|
Description: A vulnerability was reported in Snort 1.9.1. The sniffer may fail to detect certain types of packets.
It is reported that, with the default 'snort.conf' configuration, a remote user can send certain specially crafted packets that will
not be detected by the network sniffer. TCP packets with the SYN, FIN and ECN echo bits set may not be detected if the 'detect_scan'
option is set in the stream4 preprocessor.
A demonstrataion exploit using the 'hping2' utility is provided:
hping2 -t 104
-N -W -s 18245 -p 21536 -S -F -X 'IP Address'
An example of a packet is provided in the Source Message.
|
Impact: A remote user could send packets that would not be detected properly by Snort.
|
Solution: The vendor has issued a fixed version (Snort-2.0.0rc1), available at:
http://www.snort.org/dl/snort-2.0.0rc1.tar.gz
According
to the report, Snort-1.9.1 can detect these packets if the portscan preprocessor is enabled or the detect_scans option in the stream
4 preprocessor is disabled.
|
Vendor URL: www.snort.org/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Toby Miller" <toby_miller@adelphia.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 26 Mar 2003 22:16:22 -0500
From: "Toby Miller" <toby_miller@adelphia.net>
Subject: Problems with Snort-1.9.1
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Problem: Snort-1.9.1 using a default snort.conf configuration does
not detect certain crafted packets.
Details: Snort-1.9.1 does not detect packets when the SYN,FIN and ECN
echo bits set. The following is an example of a packet:
12:37:12.386797 10.1.1.6.18250 > 10.1.1.2.21536: SFE [tcp sum ok]
1178601305:1178601305(0) win 512 (ttl 104, id 5100, len 40)
0x0000 4500 0028 13ec 0000 6806 28db 0a01 0106
E..(....h.(.....
0x0010 0a01 0102 474a 5420 4640 0759 0bec 8b73
....GJT.F@.Y...s
0x0020 5043 0200 1735 0000 PC...5..
Testing: In order to set this I used hping2 and the following
switches:
hping2 -t 104 -N -W -s 18245 -p 21536 -S -F -X 'IP Address'
When performing this test I found that Snort would detect a SYN,FIN
packet provided that the ECN echo packet was not set in the same
packet.
Problem: With the detect_scan option set in the stream4 preprocessor
Snort would not detect these packets.
Impact: Snort will not catch certain scans or attacks using these
TCP/IP flags.
Solution: Upgrade to Snort-2.0.0rc1
(www.snort.org/dl/snort-2.0.0rc1.tar.gz or if you need to use
Snort-1.9.1 to detect these packets, one would have to enable the
portscan preprocessor or delete the detect_scans option in the stream
4 preprocessor.
I would like to thank Chris Green of Snort for responding quickly to
this problem.
Thanks,
Toby
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPoJs/VLhpjRJgUE5EQL8LwCg3eQVZYRgOtQOCZInFeZZDkh3JIUAoJAk
Bzgznvqfb7PhO5HML+/AXw2T
=BYxI
-----END PGP SIGNATURE-----
|
|
