Re: [Snort-users] Snort DoS Fallacies

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 09/13/05

  • Next message: 3APA3A: "Mozilla / Mozilla Firefox authentication weakness" 
    Date: Tue, 13 Sep 2005 17:36:46 -0400
To: "Ferguson, Justin (IARC)" <FergusonJ@nv.doe.gov>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Ok, let's see if we can kill the "analysis" and random speculation
    dead with this thread.

    Comments inline:

    On Sep 13, 2005, at 10:47 AM, Ferguson, Justin (IARC) wrote:

    > First, if we are using the option -A fast:
    >
    > snort/src/output-plugins/spo_alert_fast.c
    > 134 AlertFast()
    > [...]
    > 146 if(msg != NULL)
    > 147 {
    > [...]
    > 208 if(p && data->packet_flag)
    > 209 {
    > 210 fputc('\n', data->file);
    > 211
    > 212 if(p->iph)
    > 213 PrintIPPkt(data->file, p->iph->ip_proto, p);

    That's not right. This will only happen if you give Snort a config
    directive in the snort.conf file with a specific argument. You
    didn't bother to check where the data->packet_flag is set, when you
    specify fast as a command line option the alerting plugin is
    automatically loaded with a NULL argument string. Here's the config
    line you need to make it happen:

    output alert_fast: packet

    I've never seen anyone configure their system like that, although I'm
    sure someone must have or else the code wouldn't be there (it
    basically recreates "Full" mode and loses purpose of "Fast" mode).
    Regardless, it's not the default and not accessible from the command
    line.
    > Second, if we are logging in ASCII mode (a lot of people):
    If "a lot of people" are logging in ASCII mode then nobody is reading
    the docs, the books, the mailing list archives or thinking about how
    ASCII mode logging works with real file systems. If you do this
    there's another DoS waiting for you in your future, the one where the
    ASCII logging system exhausts your filesystem's inodes. If you read
    the mailing list archives from the last several years you'll see it
    come up from time to time, I think there's even a FAQ entry for it,
    not to mention info in the various config guides on not DoS'ing
    yourself. For the record, NO PRODUCTION SNORT DEPLOYMENT SHOULD EVER
    (EVER!!!) RUN WITH ASCII LOGGING!!! Everyone should be using
    unified, database or binary (pcap) logging for production sensors,
    period end of story. ASCII logging is suitable only for testing and
    lab environments, that's it.
    > Also, in the frag3 preprocessor, also I'm not sure what the point
    > of defining DEBUG_FRAG3 at compile time would be (at least in this
    > code segment), as the execution flow is exactly the same:
    > It can also be called in the stream4 preprocessor, if a few
    > debugging conditions are met:

    That's debug code there, we (developers) only enable that when we're
    testing stuff out. If you turn on all Snort's debug code you aren't
    running an IDS anymore, you're running chargen. :) It's in there for
    when developers need to "lift the hood" on Snort to figure out what's
    happening behind the scenes. No production sensor should ever be
    deployed with debug code enabled (unless you're debugging code, but
    then that's no longer a production sensor, QED).
    > Additionally, as the second part of the misrepresentation of data,
    > there is several bugs in PrintTCPOptions(), which is apparent by
    > the changes they made-- these include nearly all of the TCP
    > options, not just SACK. These include the following options:
    >
    > TCPOPT_MAXSEG, TCPOPT_WSCALE, TCPOPT_ECHO, TCPOPT_ECHOREPLY,
    > TCPOPT_TIMESTAMP, TCPOPT_CC, TCPOPT_CCNEW, TCPOPT_CCECHO, and _any_
    > unrecognized or invalid option.

    Actually, if you had done the research you would have seen that this
    DoS condition doesn't work for:
    TCPOPT_MAXSEG
    TCPOPT_WSCALE
    TCPOPT_ECHO
    TCPOPT_ECHOREPLY
    TCPOPT_TIMESTAMP
    TCPOPT_CC
    TCPOPT_CCNEW
    TCPOPT_CCECHO
    or _any_ unrecognized or invalid option.

    While we were cleaning up the code for the SACK problem we thought
    we'd make sure that there could never be another NULL ptr dereference
    in that code. Whether or not these are "bugs" (as you term them) is
    open to interpretation because they don't look like you can exercise
    them, but they certainly weren't as solid as they could have been so
    we cleaned them up.
    > However, the snort team did say one thing correctly, and that these
    > all are NULL pointer dereferences, and therefore only a DoS and not
    > exploitable to run arbitrary code.
    Wow, we did almost as well as you!!

    BTW, you missed that we also call PrintTCPHeader in spo_alert_full.c,
    which is actually done in the default config case, so this is
    something you might want to worry about if you're using full alerting
    for whatever reason. For the record, the recommended alerting modes
    for a production sensor are unified, syslog or database.

    I *strongly* recommend that people use unified logging/alerting for
    the foreseeable future, this is The Right Way (and the high
    performance way) to run a Snort sensor.

    So, to summarize, there's an additional problem if you're using ASCII
    mode logging, but if you've been running Snort for any time you
    should know never to do that on a production sensor. There is an
    actual real live issue if you run with Full-mode alerting, but you
    should typically be using a more robust alerting mode for production
    sensors anyway. If you're the one person on the planet that's
    running Fast-mode alerting with the 'packet' config option turned on,
    you should probably just switch to Full and get it over with since
    they're effectively the same thing. There are no additional TCP
    Options processing that have this issue at this time that I'm aware
    of, if anyone knows otherwise please feel free to submit a report to
    me or snort-team@sourcefire.com.

          -Marty

    - --
    Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
    Sourcefire - Discover. Determine. Defend.
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (Darwin)

    iD8DBQFDJ0Zyqj0FAQQ3KOARAoNBAJ9DtbuaxaizhcID7ohzqUBYRifI1ACeKNig
    IwQdRGFcyy5+iYw27fyigHI=
    =a1/3
    -----END PGP SIGNATURE-----

  • Next message: 3APA3A: "Mozilla / Mozilla Firefox authentication weakness"

    Relevant Pages

    • Re: CheckPoint FireWall on Sun Netra X1 and/or T1 units
      ... >prefer the ipf based ones for clearer syntax, clearer logging, better ... As for "parsable logging": it could be better. ... It doesnt log in full ascii, ... eg: a real corporate-level firewall. ...
      (comp.security.firewalls)
    • Re: Phantom /var full messages
      ... if you could isolate it to just snort or just MySQL. ... without restarting the program that's logging to them. ... compresses the current log file into a new file, ...
      (freebsd-questions)
    • Re: Phantom /var full messages
      ... if you could isolate it to just snort or just MySQL. ... > without restarting the program that's logging to them. ... > compresses the current log file into a new file, ... I am using newsyslog.conf which *should* HUP processes when ...
      (freebsd-questions)
    • Re: x86/mce merge, integration hickup + crash, design thoughts
      ... If there's ASCII logging it should be separate from normal printk. ... Mostly because the problem is not a kernel issue. ...
      (Linux-Kernel)
    • Re: x86/mce merge, integration hickup + crash, design thoughts
      ... If there's ASCII logging it should be separate from normal printk. ... Mostly because the problem is not a kernel issue. ...
      (Linux-Kernel)
    • Quantcast