[Snort-inline-users] possible solutions to stream4 problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I was going through the past e-mails that I sent to the list regarding
stream4 and snort_inline, and I realized that most of them were not ver=
y
clear regarding the problem.  In addition I wanted to get the lists inp=
ut
on some ideas I had for dealing with the problem.  Each time stream4 se=
es a
packet it check's to see if there is a session to which the packet belo=
ngs,
if it can't find an associated session it calls CreateNewSession.  The
problem is that since we are dropping packets, if an alert is generated=
 the
attacking computer believes that packet never made to the server and
retransmits.  When a new session is initiated a counter is started agai=
nst
the value set in PRUNE_QUANTA.  This counter times out before the attac=
king
computer is done retransmitting ACK|PUSH packets and prunes the session=
.
After the session is pruned CallNewSession is called.  This is where th=
e
problem arises, when the next ACK|PUSH packet is sent from the previous=

session, if the stream is not established and it is caught by stream4
midstream, fpdetect does not do detection on the packet (snot/stick
protection.) and the packet makes it through.  Here is my thought, what=
 if
we put a check into stream4 that after determining that it does not hav=
e a
session for the packet, checks the flags before calling CreateNewSessio=
n.
If the packet is anything other than syn we drop it and don't call
CreateNewSession.  My other thought is that we figure out a way to flag=

sessions that have generated alerts, and would tell PruneCheck not to p=
rune
them.  The problem with the second scenario is that I think it would be=

fairly trivial to defeat, the other thing we will have to worry about, =
is
hitting the stream4 memory cap.  Right now if stream4 runs out of memor=
y,
and it can't prune sessions due to time, it prunes 5 random sessions.
Either way, below is a test patch for spp_stream4.c to check flags.  I'=
ve
been running it for three day's and it seems to work fine.  If anybody =
is
brave enough to try it, tweak the memory settings to fit your machine.
Eventually there will be a check for InlineMode();  I just thought you
guy's might want to test it : -)

Regards,

Will

--- snort-2.1.2/src/preprocessors/spp_stream4.c Tue Jan 27 11:21:23 200=
4
+++ snort-inline-2.1.2/src/preprocessors/spp_stream4.c  Thu May 20 18:3=
6:19
2004
@@ -81,7 +81,7 @@
 #include "perf.h"
 #include "timersub.h"
 #include "ubi_SplayTree.h"
-
+#include "inline.h"
 #include "snort.h"

 /*  D E F I N E S  **************************************************/=

@@ -123,8 +123,8 @@
 #define FROM_SERVER     0
 #define FROM_CLIENT     1

-#define PRUNE_QUANTA    30    /* seconds to timeout a session */
-#define STREAM4_MEMORY_CAP     8388608  /* 8MB */
+#define PRUNE_QUANTA   30    /* seconds to timeout a session */
+#define STREAM4_MEMORY_CAP     33554432  /* 32MB */
 #define STREAM4_TTL_LIMIT 5 /* default for TTL Limit */

 #define STATS_HUMAN_READABLE   1
@@ -1752,7 +1752,13 @@

     /* see if we have a stream for this packet */
     ssn =3D GetSession(p);
-
+    if(ssn =3D=3D NULL && ((p->tcph->th_flags) !=3D TH_SYN))
+    {
+       InlineDrop();
+       DEBUG_WRAP(DebugMessage(DEBUG_STREAM,
+                               "Lets drop this its not a synner\n"););=

+       return;
+    }
     if(ssn =3D=3D NULL)
     {
         DEBUG_WRAP(DebugMessage(DEBUG_STREAM,"Calling
CreateNewSession()\n"););
=
