[Snort-devel] incorrect TCP RST handling.

I believe that SNORT has a bug in how it handles RST TCP packets.

The attached tcpdump illustrates how a RST packet can cause SNORT to flush a stream and to miss an attack (finger-root in this case, reassembly was activated on port 79 for this case).

When a RST packet is a (fast) retransmission of a data packet that was not acked yet, SNORT flushes the stream without waiting to see whether the RST was accepted by the host.
The tcpdump attached is an example of such a case. The first RST packet in the dump causes SNORT to flush the stream (and to miss the attack).

Note that most hosts will NOT accept the RST packet (see Paxson paper IEEE-security 2003).

I also believe that the fix is simple , as shown below.

/tmp>diff spp_stream4.c snort-2.0.1/src/preprocessors/spp_stream4.c 3197,3199c3197

<     static StreamPacketData spd;
<     spd.seq_num = pkt_seq;
<

---

>

3226,3231d3223
<     // Do not return 1 so fast. This RST might be a retransmission of data
<     // that was not acked yet.
<     // If it is, most hosts will reject the RST. Future work should
explore
<     // this further.
<     if (ubi_sptFind(&s->data,(ubi_btItemPtr)(&spd)))
<       return 0;

------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek