Re: [Snort-users] Snort DoS Fallacies Sep 13 2005 09:36PM
Martin Roesch (roesch sourcefire com)
Hash: SHA1

Ok, let's see if we can kill the "analysis" and random speculation
dead with this thread.

Comments inline:

On Sep 13, 2005, at 10:47 AM, Ferguson, Justin (IARC) wrote:

> First, if we are using the option -A fast:
> snort/src/output-plugins/spo_alert_fast.c
> 134 AlertFast()
> [...]
> 146 if(msg != NULL)
> 147 {
> [...]
> 208 if(p && data->packet_flag)
> 209 {
> 210 fputc('\n', data->file);
> 211
> 212 if(p->iph)
> 213 PrintIPPkt(data->file, p->iph->ip_proto, p);

That's not right. This will only happen if you give Snort a config
directive in the snort.conf file with a specific argument. You
didn't bother to check where the data->packet_flag is set, when you
specify fast as a command line option the alerting plugin is
automatically loaded with a NULL argument string. Here's the config
line you need to make it happen:

output alert_fast: packet

I've never seen anyone configure their system like that, although I'm
sure someone must have or else the code wouldn't be there (it
basically recreates "Full" mode and loses purpose of "Fast" mode).
Regardless, it's not the default and not accessible from the command
> Second, if we are logging in ASCII mode (a lot of people):
If "a lot of people" are logging in ASCII mode then nobody is reading
the docs, the books, the mailing list archives or thinking about how
ASCII mode logging works with real file systems. If you do this
there's another DoS waiting for you in your future, the one where the
ASCII logging system exhausts your filesystem's inodes. If you read
the mailing list archives from the last several years you'll see it
come up from time to time, I think there's even a FAQ entry for it,
not to mention info in the various config guides on not DoS'ing
(EVER!!!) RUN WITH ASCII LOGGING!!! Everyone should be using
unified, database or binary (pcap) logging for production sensors,
period end of story. ASCII logging is suitable only for testing and
lab environments, that's it.
> Also, in the frag3 preprocessor, also I'm not sure what the point
> of defining DEBUG_FRAG3 at compile time would be (at least in this
> code segment), as the execution flow is exactly the same:
> It can also be called in the stream4 preprocessor, if a few
> debugging conditions are met:

That's debug code there, we (developers) only enable that when we're
testing stuff out. If you turn on all Snort's debug code you aren't
running an IDS anymore, you're running chargen. :) It's in there for
when developers need to "lift the hood" on Snort to figure out what's
happening behind the scenes. No production sensor should ever be
deployed with debug code enabled (unless you're debugging code, but
then that's no longer a production sensor, QED).
> Additionally, as the second part of the misrepresentation of data,
> there is several bugs in PrintTCPOptions(), which is apparent by
> the changes they made-- these include nearly all of the TCP
> options, not just SACK. These include the following options:
> unrecognized or invalid option.

Actually, if you had done the research you would have seen that this
DoS condition doesn't work for:
or _any_ unrecognized or invalid option.

While we were cleaning up the code for the SACK problem we thought
we'd make sure that there could never be another NULL ptr dereference
in that code. Whether or not these are "bugs" (as you term them) is
open to interpretation because they don't look like you can exercise
them, but they certainly weren't as solid as they could have been so
we cleaned them up.
> However, the snort team did say one thing correctly, and that these
> all are NULL pointer dereferences, and therefore only a DoS and not
> exploitable to run arbitrary code.
Wow, we did almost as well as you!!

BTW, you missed that we also call PrintTCPHeader in spo_alert_full.c,
which is actually done in the default config case, so this is
something you might want to worry about if you're using full alerting
for whatever reason. For the record, the recommended alerting modes
for a production sensor are unified, syslog or database.

I *strongly* recommend that people use unified logging/alerting for
the foreseeable future, this is The Right Way (and the high
performance way) to run a Snort sensor.

So, to summarize, there's an additional problem if you're using ASCII
mode logging, but if you've been running Snort for any time you
should know never to do that on a production sensor. There is an
actual real live issue if you run with Full-mode alerting, but you
should typically be using a more robust alerting mode for production
sensors anyway. If you're the one person on the planet that's
running Fast-mode alerting with the 'packet' config option turned on,
you should probably just switch to Full and get it over with since
they're effectively the same thing. There are no additional TCP
Options processing that have this issue at this time that I'm aware
of, if anyone knows otherwise please feel free to submit a report to
me or snort-team (at) sourcefire (dot) com. [email concealed]


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch (at) sourcefire (dot) com [email concealed] - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Version: GnuPG v1.4.1 (Darwin)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus