OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Snort-users] Snort 2.7.0.1 Preprocessor Drop Patches

From: Joel Ebrahimi (jebrahimistillsecure.com)
Date: Wed Sep 19 2007 - 13:57:16 CDT

The current testing version of Snort (2.8 branch) has a new mechanism to handle dropping of packets from the preprocessors. For StillSecure's upcoming Strata Guard and Cobia IPS release, we have been testing drop integration in the 2.7 branch of Snort using our own modifications.

At this time we are still testing our method as well as the method in 2.8RC1, but wanted to offer it to the community. We feel there are some positives in the way we have implemented our dropping method, so we wanted to release the code early for possible adoption into the 2.x Snort branch and to give the community a chance to play with dropping in a different way in Snort 2.7.0.1.

The development we have done has all preprocessor drops contained within each respective preprocessor section of code. There are 2 main benefits to this. One is there is a centralized configuration for each preprocessor. The configuration takes place as traditional preprocessor configuration does, with the use of keywords. This also allows the display of your drop parameters at startup, in each of the preprocessor startup sections. The second benefit is that this method allows fine granularity control over each preprocessor. With the current method from Snort 2.8, you add preproccessor rules that act as a global over the entire preprocessor. For example if you have several HTTP Inspect engines and wanted to drop IIS backslash from just one of the engines you could not do this in the current 2.8 method but could with the method we have developed.

We are going to continue to test both the way we have implemented preprocessor drops as well as the method in Snort 2.8. At this point there is not an official Snort release that we will use with Strata Guard and Cobia and we will continue to test both methods to determine what will work best for our products and for the user.

At the bottom of this email is a list of the available preprocessors for dropping with the keyword and meaning. I also sent this information as an attachment.

Included with this email are patch's for each of the preprocessors. We also have a prepackaged tarball of all the modifications available at http://download.stillsecure.com/Cobia/src/ . Please send any comments, suggestions, issues or ideas to make it better to jebrahimistillsecure.com

// Joel

StillSecure
Joel Ebrahimi
Senior Software Engineer

http://www.stillsecure.com/
The information transmitted is intended only for the person
to whom it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer.

-------------------------------------------------
Frag3
-------------------------------------------------

options description
-------------- -----------
drop_ipoptions Drop inconsistent IP optionscd pr
drop_teardrop Drop Teardrop attack
drop_short_frag Drop short fragment, possible DOS
drop_anomaly_oversize Drop packet after defragmented packet
drop_anomaly_zero Drop zero byte fragmented packet
drop_anomaly_badsize_sm Drop negative size fragment
drop_anomaly_badsize_lg Drop over sized fragment
drop_anomaly_ovlp Drop fragmentation overlap
drop_ipv6_bsd_icmp_frag Drop IPV6 BSD mbufs kernel overflow
drop_ipv6_bad_frag_pkt Drop bogus fragmentation packet

-------------------------------------------------
Stream5
-------------------------------------------------

options description
-------------- -----------
drop_syn_on_est Drop SYN on established packet
drop_data_on_syn Drop data on SYN packet
drop_data_on_closed Drop data sent on stream not accepting data
drop_bad_timestamp Drop TCP Timestamp is outside of PAWS window
drop_bad_segment Drop bad segment,overlap adjusted size <= 0
drop_window_too_large Drop window size (after scaling) larger than policy allows
drop_excessive_tcp_overlaps Drop when limit on the number of TCP packerts reached
drop_data_after_reset Drop data after Reset packet

-------------------------------------------------
HTTP Inspect
-------------------------------------------------

options description
-------------- -----------
drop_ascii Drop ASCII encoding
drop_double_decode Drop double decoding attacks
drop_u_encode Drop U encoding
drop_bare_byte Drop bare byte unicode encoding
drop_base36 Drop base36 encoding
drop_utf_8 Drop utf-8 encoding
drop_iis_unicode Drop IIS unicode codepoint encoding
drop_multi_slash Drop multislash encoding
drop_iis_backslash Drop IIS backslash evasion
drop_self_dir_trav Drop self directory traversal
drop_apache_ws Drop apache whitspace
drop_iis_delimeter Drop IIS non-rfc delimeter
drop_non_rfc_char Drop non-rfc character
drop_oversize_dir Drop oversize request URI directory
drop_large_chunk Drop oversize chunk encoding
drop_proxy_use Drop detected proxy use
drop_webroot_dir Drop webroot directory traversal

-------------------------------------------------
SMTP
-------------------------------------------------

options description
-------------- -----------
drop_obsolete_types Drop Obsolete DNS RR Types
drop_experimental_types Drop Experimental DNS RR Types
drop_rdata_overflow Drop DNS Client rdata txt Overflow

-------------------------------------------------
DNS
-------------------------------------------------

options description
-------------- -----------
drop_obsolete_types Drop Obsolete DNS RR Types
drop_experimental_types Drop Experimental DNS RR Types
drop_rdata_overflow Drop DNS Client rdata txt Overflow

-------------------------------------------------
FTP/Telnet
-------------------------------------------------

Telnet Configuration:
options description
-------------- -----------
drop_encrypted_traffic Drop encrypted traffic
drop_ayt_overflow Drop consecutive TELNET AYT commands beyond set threshold
drop_sb_no_se Drop TELENT subnegotiation begin command without subnegotiation end

FTP Global Configuration:
options description
-------------- -----------
drop_evasive_telnet_cmd Drop evasive TELNET CMD's on FTP command channel
drop_encrypted_traffic Drop encrypted FTP traffic

FTP Client Configuration:
options description
-------------- -----------
drop_telnet_cmd Drop TELNET CMD on FTP Command Channel
drop_long_response_parameters Drop FTP response message that are too long
drop_bounce_attempt Drop FTP bounce attempts

FTP Server Configuration:
options description
-------------- -----------
drop_telnet_cmd Drop TELNET CMD on FTP Command Channel
drop_invalid_cmd Drop invalid FTP Command
drop_long_cmd_parameters Drop FTP command parameters that are too long
drop_malformed_parameters Drop FTP command parameters were malformed
drop_string_format_parameters Drop FTP command parameters that contain potential string format

-------------------------------------------------
SSH
-------------------------------------------------

options description
-------------- -----------
drop_gobbles Drop Gobbles exploit
drop_ssh1crc32 Drop SSH1 CRC32 exploit
drop_srvoverflow Drop server version string overflow
drop_protomismatch Drop protocol mismatch
drop_badmsgdir Drop bad message direction
drop_paysize Drop payload size incorrect for the given payload
drop_recognition Drop failure to detect SSH version string

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users