Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md
stream_quantuminsert-snort-2.9.6.2.patch
stream_quantuminsert-snort-2.9.7.2.patch

README.md

Quantum Insert detection for Snort

Fox-IT made a proof of concept patch for Snort that will add detection for Quantum Insert type of attacks to the Stream preprocessor.

The patches are for Snort version 2.9.6.2 and 2.9.7.2 and are released into the public domain.

Applying the patch

Unpack the Snort source, eg:

$ tar -zxvf snort-2.9.7.2.tar.gz

Apply the patch for the correct Snort version, eg:

$ git apply < stream_quantuminsert-snort-2.9.7.2.patch

Compiling & Install

The patches don't need extra work, you can just ./configure and make install like normal.

Snort Signature

The following stub signature needs to be included in your Snort config or else the preprocessor will not be able to generate the alert:

alert ( msg: "STREAM5_QUANTUM_INSERT"; sid: 21; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

make sure your gen-msg.map is also regenerated accordingly.

Configuration

The patch adds the following option to the stream5_tcp preprocessor:

preprocessor stream5_tcp \
	max_track_old_segs <amount>

Where max_track_old_segs is a number between 0 and 2048. Setting it to 0 will disable it. By default it is set to 10.

Alerts

When a possible Quantum Insert has been detected the following signature will trigger:

03/31-16:37:46.691315  [**] [129:21:1] Possible Quantum Insert [**] [Classification: Potentially Bad Traffic] [Priority: 3] {TCP} x.x.x.x:80 -> x.x.x.x:39976

ExtraData in Unified2 logfiles

The unified2 log files can contain ExtraData when the QI alert triggers. It can be dumped with the modified u2spewfoo tool. The ExtraData field will contain the other conflicting TCP segment payload that had the same sequence number.

Example output:

$ u2spewfoo <snort.alert.u2>

(Event)
	sensor id: 0	event id: 1	event second: 1429576915	event microsecond: 853780
	sig id: 21001615	gen id: 129	revision: 1	 classification: 5
	priority: 1	ip source: 46.43.34.31	ip destination: 10.0.1.4
	src port: 80	dest port: 51358	protocol: 6	impact_flag: 0	blocked: 0

(ExtraDataHdr)
	event type: 4	event length: 117

(ExtraData)
	sensor id: 0	event id: 1	event second: 1429576915
	type: 14	datatype: 1	bloblength: 93	Generic Data:
[    0] 48 54 54 50 2F 31 2E 31 20 33 30 32 20 46 6F 75  HTTP/1.1 302 Fou
[   16] 6E 64 0D 0A 4C 6F 63 61 74 69 6F 6E 3A 20 68 74  nd..Location: ht
[   32] 74 70 3A 2F 2F 77 77 77 2E 37 2D 7A 69 70 2E 6F  tp://www.7-zip.o
[   48] 72 67 2F 61 2F 37 7A 39 33 38 2E 65 78 65 0D 0A  rg/a/7z938.exe..
[   64] 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20  Content-Length: 
[   80] 30 0D 0A 0D 0A                                   0....

Packet
	sensor id: 0	event id: 1	event second: 1429576915
	packet second: 1429576915	packet microsecond: 853780
	linktype: 1	packet_length: 630
[    0] 00 0C 29 8C 8B 4A 00 0C 29 8D 0A 0C 08 00 45 00  ..)..J..).....E.
[   16] 02 68 C8 C0 40 00 33 06 21 82 2E 2B 22 1F 0A 00  .h..@.3.!..+"...
[   32] 01 04 00 50 C8 9E 2E A2 07 38 11 C8 D9 BC 80 18  ...P.....8......
[   48] 00 7A 8E CC 00 00 01 01 08 0A 40 86 CF 87 00 A4  .z........@.....
[   64] E2 77 48 54 54 50 2F 31 2E 31 20 33 30 32 20 46  .wHTTP/1.1 302 F
[   80] 6F 75 6E 64 0D 0A 44 61 74 65 3A 20 54 75 65 2C  ound..Date: Tue,
[   96] 20 32 31 20 41 70 72 20 32 30 31 35 20 30 30 3A   21 Apr 2015 00:
[  112] 34 31 3A 35 35 20 47 4D 54 0D 0A 53 65 72 76 65  41:55 GMT..Serve
[  128] 72 3A 20 41 70 61 63 68 65 0D 0A 4C 6F 63 61 74  r: Apache..Locat
[  144] 69 6F 6E 3A 20 68 74 74 70 3A 2F 2F 74 68 65 2E  ion: http://the.
[  160] 65 61 72 74 68 2E 6C 69 2F 7E 73 67 74 61 74 68  earth.li/~sgtath
[  176] 61 6D 2F 70 75 74 74 79 2F 30 2E 36 34 2F 78 38  am/putty/0.64/x8
[  192] 36 2F 70 75 74 74 79 2E 65 78 65 0D 0A 43 6F 6E  6/putty.exe..Con
[  208] 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 33 30 30  tent-Length: 300
[  224] 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 74 69  ..Keep-Alive: ti
[  240] 6D 65 6F 75 74 3D 31 35 2C 20 6D 61 78 3D 31 30  meout=15, max=10

Technical details of the patch

The patch adds the option to keep track of old TCP segments in the StreamTracker object of the Stream Preprocessor that performs the TCP reassembly. We found that this was the most efficient way, rather than making our own preprocessor.

The QI event generated by the Stream preprocessor will also try to log the conflicting TCP segment as ExtraData in the unified2 log files. An extra eventtype had to be added to the Unified2 logging headers, called EVENT_INFO_GENERIC_DATA as there was no event type yet for generic data logging.

It's possible that the QI event will trigger on out-of-order segments. We have seen this occur occasionally on SSL/TLS connections. A recommendation would be to focus only on HTTP traffic or only on the first content carrying packet if there's a high amount of false positives on your network.

We hope these patches will eventually be incorporated upstream by Cisco/Sourcefire in some form.