Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-devel > 03 > 090909.html (Request Expert snort.org Support)

[Snort-devel] [ snort-Bugs-813798 ] Possible bug with 2.0.2: decoder masking fragroute traffic

From: SourceForge.net <noreply(at)sourceforge.net>
Date: Sat Sep 27 2003 - 20:12:08 EDT


Bugs item #813798, was opened at 2003-09-27 17:12 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=813798&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Possible bug with 2.0.2: decoder masking fragroute traffic

Initial Comment:
Possible bug with 2.0.2: decoder masking fragroute

traffic from stream4 preprocessor

This was originally sent as an email about 2.0.1, then I

upgraded and found the same problem with 2.0.2.

Developers,

 While working on a book for McGraw-Hill, I have been

Do you need help?X

conducting some

 testing of snort. When I looked at 1.8.7, it handled

default fragroute

 traffic well by the stream4 preprocessor sounding the

alert ": Multiple

 Acked Packets (possible fragroute)". I may have found

a problem with

 2.0.2. It seems that there are some changes in the

Do you need more help?X

2.0.2 that make the

 decoder fire "WARNING: TCP Data Offset is less than 5!"

which of course

 could mean lots of things besides fragroute. It is much

less

 descriptive and will probably be chalked up as a false

positive by an

 analyst. It looks like the decoder is stealing the stream4

Can we help you?X

 preprocessors thunder here. Details follow:   

 Here is the problem:

 Both snorts 1.8.7 and 2.0.2 have default configs and

rules. Using

 default config for fragroute.   

 root@ttyp7[knoppix]# ping 10.10.10.33

 root@ttyp7[knoppix]# fragroute 10.10.10.33

 fragroute: tcp_seg -> ip_frag -> ip_chaff -> order ->

Can't find what you're looking for?X

print (starts

 fragroute, then open another window for ftp session)   

 ftp 10.10.10.33 (proceed to log-in, move to /etc subdir,

get passwd,

 then log out)   

 snort 1.8.7      

[**] [111:18:1] spp_stream4: Multiple Acked Packets

(possible fragroute)

Don't know where to look next?X

[**] 09/23-14:58:05.445121 10.10.10.102:33039 ->

10.10.10.33:21 TCP  TTL:64 TOS:0x10 ID:26987 IpLen:20 DgmLen:53

 ***AP*** Seq: 0x1B4A6A08 Ack: 0x6EE8F32C Win:

0x16D0 TcpLen: 32 TCP

 Options (3) => NOP NOP TS: 33629416 62418991   

[**] [111:18:1] spp_stream4: Multiple Acked Packets

(possible fragroute)

[**] 09/23-14:58:05.445214 10.10.10.102:33039 ->

Confused? Frustrated?X

10.10.10.33:21 TCP  TTL:64 TOS:0x10 ID:63939 IpLen:20 DgmLen:53

 ***AP*** Seq: 0x1B4A6A0A Ack: 0x6EE8F32C Win:

0x16D0 TcpLen: 32 TCP

 Options (3) => NOP NOP TS: 33629416 62418991   

[**] [111:18:1] spp_stream4: Multiple Acked Packets

(possible fragroute)

[**] 09/23-14:58:05.445094 10.10.10.102:33039 ->

10.10.10.33:21 TCP  TTL:64 TOS:0x10 ID:3410 IpLen:20 DgmLen:53

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365X

 ***AP*** Seq: 0x1B4A6A0C Ack: 0x6EE8F32C Win:

0x16D0 TcpLen: 32 TCP

 Options (3) => NOP NOP TS: 33629416 62418991      

 This is good...      

  • snort 2.0.2

[**] [116:46:1] (snort_decoder) WARNING: TCP Data

Offset is less than 5!

[**] 09/23-15:02:13.783931 10.10.10.102:0 ->

10.10.10.33:0 TCP TTL:64  TOS:0x10 ID:37117 IpLen:20 DgmLen:52

Do you need help?X

 *2U**R** Seq: 0x3330556E Ack: 0x50537257 Win:

0x374E TcpLen: 16

 UrgPtr: 0x75

 30   

[**] [116:46:1] (snort_decoder) WARNING: TCP Data

Offset is less than 5!

[**] 09/23-15:02:14.886738 10.10.10.102:0 ->

10.10.10.33:0 TCP TTL:64  TOS:0x10 ID:37119 IpLen:20 DgmLen:52 *2***R*F

Do you need more help?X

Seq: 0x6B645039 Ack:

 0x2B65597A Win: 0x4B79 TcpLen: 12   

[**] [116:46:1] (snort_decoder) WARNING: TCP Data

Offset is less than 5!

[**] 09/23-15:02:14.888232 10.10.10.102:0 ->

10.10.10.33:0 TCP TTL:64  TOS:0x10 ID:37120 IpLen:20 DgmLen:52

 *2U***S* Seq: 0x4B633332 Ack: 0x56583431 Win:

0x3373 TcpLen: 16

Can we help you?X

 UrgPtr: 0x37

 57   

 this is not good... looks like the decoder is stealing the

thunder of

 the stream4 preprocessor... this can easily be chalked

up as a

 false positive by the analyst and there is no mention or

inkling that

Can't find what you're looking for?X

 fragroute is being used... So, it appears that fragroute

becomes useful

 again.   

 Allen        

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=813798&group_id=3357


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Sep 29 09:09:39 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library