OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Fooling NIDS
From: Martin Roesch (roeschMD.PRESTIGE.NET)
Date: Tue Dec 05 2000 - 21:06:39 CST

Crist Clark wrote:
>
> Martin Roesch wrote:
>
> [snip]
>
> > Anyway, this is an interesting case. Without seeing a core dump it looks like
> > you've got straight TCP traffic here crashing Snort.
>
> There was a core dump in the first mail I sent. ;)

Yeah, I just didn't have it pulled up. :) These problems are actually pretty
easy to diagnose most of the time if you know Snort code pretty well (and I'm
rather familiar with it). Almost anytime you see a crash in the detection
code of plugin it's because some pointer that it was expecting to be good was
nulled out.

> > Judging by the line you
> > say its crashing on, probably one of the packet pointers is nulled out and
> > it's failing on the dereference. If this is just plain Snort 1.6.3, you
> > should probably try out version 1.6.3-patch2 which is available on the
> > downloads page of www.snort.org or (more easily)
> > http://snort.sourceforge.net.
> >
> > If you want to patch your existing code, you can add this check right before
> > the if statement you site in sp_tcp_seq_check.c:
> >
> > if((p == NULL) || (p->tcph == NULL))
> > {
> > return 0;
> > }
> >
> > Version 1.6.3 had a problem where you could get packets with NULL pointers
> > into the detection engine where they would potentially be dereferenced by any
> > of the plugins, which generally expect the packet pointers to be good when
> > they run.
> >
> > Thanks for the bug report, sorry for the delay in responding!
>
> Yep. That code should catch it. I loaded up that core file in the debugger,
>
> open# gdb /usr/local/bin/snort
> GNU gdb 4.16.1
> Copyright 1996 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-unknown-openbsd2.7"...
> (gdb) core snort1.core
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/libexec/ld.so...done.
> Reading symbols from /usr/lib/libpcap.so.1.1...done.
> Reading symbols from /usr/lib/libc.so.25.0...done.
> #0 0xe957 in CheckTcpSeqEq (p=0xdfbfd3ec, otn=0x92000, fp_list=0x89cc0)
> at sp_tcp_seq_check.c:138
> 138 if (((TcpSeqCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_seq == ntohl(p->tcph->th_seq))
> (gdb) p p
> $1 = (Packet *) 0xdfbfd3ec
> (gdb) p p->tcph
> $2 = (TCPHdr *) 0x0
> (gdb)
>
> There's the NULL pointer.

It must have bailed out of the decode phase because there was some problem
with the tcp header. There are very few rules that use the tcp sequence
checker plugin, so it doesn't see much trial by fire.

> I'll update my Snort and fire the full IDSwakeup against it while running
> on the arachNIDS ruleset[0], but this should get this issue.

Yep.

> [0] I'll try to do it tonight, but you know, the last segment of the Dune
> series is on Sci-Fi. Like I don't know how it ends[1]. ;) However, missing
> it is grounds for getting stripped of a number of geek certifications and
> would make it difficult to follow all of the bashing on USENET and the web.
>
> [1] But if it rains at the end like in certain other filmed version, there
> will be hell to pay.

Definitely. We'll see if Feyd (sp?) can come off as sexy as Sting in the Big
Fight too... :)

   -Marty 

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org