Ignore Stream v1.2
- a Snort detection-plugin!
Created: 2003-06-23 Last Updated: 2003-07-11
Purpose:
Provide a means to disable
signature-based detection for all subsequent packets in a "stream4"
stream, based on a
rule-match on a particular/initial packet.
View the README for more information.
Requirements:
In order for the sp_ignore_stream
detection-plugin to work with snort ( stream4 in particular ), a few changes must be made.
Snort must include a new session flag,
SSNFLAGS_DETECT_DISABLE, which is to be checked by the
spp_stream4.c::ReassembleStream4() function, and, if set, should call DisableDetect(p) on the current packet, prior to this function returning. Also, code in the inline function NotForStream4() must be split-up. In the patch provided, a new function NotForStream4First() is created to house the only exceptions for which the session flag will not be inspected for a given packet.
SSNFLAGS_DETECT_DISABLE must be defined within the decode.h
file.
Usage:
Once compiled, the IgnoreStream plugin can be activated in a rule by including the tag "ignore;".
pass tcp $CUSTOMER_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"LOCAL-RULE normal
data
transfer - usually generates false-positives on small signatures";
flow:to_server,established;
content:"POST /cgi-bin/imagexfer.asp"; depth: 20;
sid: 3000001; rev: 1; ignore;)
In the above rule, we are able to eliminate a number of small
signatures from triggering on a "normal" and
"trusted" binary file transfer by:
1) positively
identifying the "normal" and "trusted" traffic, and
2) including the "ignore" tag telling snort
to "disable signature detection"
on all proceeding packets in the http stream (transfer).
Important note: Be careful about the rules you
write because you could leave yourself wide open.
For
example, a hack with containing a packet matching the example rule above would
NOT BE DETECTED BY
SNORT if the "ignore" rule signature match occurred BEFORE the hack.
Because this plugin disables signature-based detection for a given stream, there would be no way to counter
this behavior with another signature based rule, without additional functionality added to stream4 For example, expiration of the ignore behavious based on time duration, packet, or byte count could be useful, but would require additional changes to stream4. (Does anyone have any feedback to offer?) Use this plugin with discretion.
Changes:
v1.2 2003-07-11: Fixed stream4 patch. Split the function NotForStream4() into two functions, NotForStream4First() and NotForStream4(), which we will call before and after our code in spp_stream4.c, respectively. This fixed a problem with some packets not being checked. v1.1 2003-07-02: rearranged code in stream4 to ensure reassembled streams are checked for SSNFLAGS_DISABLE_DETECT, not just individual packets
Links:
Download the tar file
http://www.metre.net/files/ignorestream.1.2.tgz (md5)
containing both the source code and a patch.
You can use the
patch method (based on snort-2.0.0) or just manually integrate the code
using the INSTALL notes.
-The "patch" will modify a
couple of snort files including spp_stream4.c .
Please let me know if you find any problems or standardization issues. Thanks.
Author: John Curry john dot curry at metre dot net This code is distributed under the "GNU Public License"
Special thanks to bmc for the "what-to-do" and to madcow for helping with documentation and testing the patch files.