Hosting Provided By

snort_inline-1.9.1-2 release

From: Rob McMillen <rvmcmil(at)cablespeed.com>
Date: Sun Mar 30 2003 - 13:24:56 EST

The Honeynet Project has updated snort_inline to include preprocessor support. Any preprocessor that normalizes data can be used with snort_inline 1.9.1-2. The Honeynet Project is also currently porting pre-processors that actively alert (or drop) attacks. The snort_inline.conf file has been updated with these new capabilities. You can find src code, binaries, and updated configuration files at

http://www.honeynet.org/papers/honeynet/tools/

Why couldn't we use plugins before? To answer this question, we need to give a basic description of snort_inline.

Basically, the kernel makes a copy of the packet and gives it to snort_inline. snort_inline then takes this copy of the packet; adds a pcap header, and sends it through the snort process. At the end of the process, snort_inline checks the packet routing decision: drop, sdrop, reject or accept (default if drop, sdrop, or reject are not set). When the packet is marked for drop, sdrop, or reject, snort_inline tells the kernel to drop the packet and disregard the copy of the packet it sent us earlier. When the packet is not marked for drop, sdrop, or reject, snort_inline tells (this is what was fixed) the kernel to accept the packet and use the copy of the packet we are not providing instead of the copy the kernel kept. The intent of this action was to allow the use of the "replace" keyword that lets users change the packet payload. For example, I can use the "content" keyword to find cmd.exe and use the "replace" keyword to change it to xxx.exe. This would render attacks using an exploit that used cmd.exe useless.

Now, snort_inline tells the kernel to accept the packet and use the copy the kernel kept unless the payload was modified by the use of the replace keyword. Why is this important? This is important for two reasons:

It increases snort_inline throughput because we are no longer copying a packet from kernel space to user space; making a routing decision; and copying a packet from user space to kernel space. We are only doing this when it is absolutely necessary.
It allows the use of plugins that "normalize" (modify) the payload so the detection engine can better identify attacks in packets sent by "evil" people trying to hide by using things such as unicode to hide their intent.

The way these plugins work in Snort-1.9.1 is that they modify the packet payload ("normalize") so that the rule base has a better shot at identifying an attack. Things such as unicode attacks are decoded by the http_decode preprocessor plugin before the packet is sent to the detection engine. This increases the chance of identifying the attack.

Feel free to drop me a line if you have any problems/questions.

Rob

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71 Received on Tue Apr 1 17:21:52 2003

Do you need help?

This message: [ Message body ]
Next message: Bill McCarty: "Honeynet Scan of the Month for April released"
Previous message: Alan Shimel: "RE: False Positives with IntruVert"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:10 EDT