Minor Fix (?) for Snort Decoder
We deployed a sensor where it could observe traffic hitting the external interface of a border router. Every BGP packet trips an "Experimental TCP Options" alert.
Now, I could disable that with a config disable_tcpopt_experimental_alerts directive, but maybe I want to watch for really odd stuff? As far as BGP goes, RFC 2385 providing for putting an MD5 hash as a tcp option dates from August 1998, about as old as Snort itself. (http://www.ietf.org/rfc/rfc2385.txt) So is it still appropriate to treat that as experimental and alert on it? As far as I know it's standard for BGP.
I know I can suppress, too. I think it would be better not to work around it.
I changed decode.c as follows:
line 3923 in 2.7 current as of 2007-02-06
From:
case TCPOPT_MD5SIG:
experimental_option_found = 1;
code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG,
&p->tcp_options[opt_count], &byte_skip);
break;
to:
case TCPOPT_MD5SIG:
experimental_option_found = 0;
code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG,
&p->tcp_options[opt_count], &byte_skip);
break;
I tried it out and recompiled, seems to work. That is, it no longer alerted on tcp option 19 (MD5SIG) and did alert on other things. It's possible I broke the decoder alerts, but I doubt it.
I followed the link provided in decoder.c http://www.iana.org/assignments/tcp-parameters
to see if there was anything else I should disable alerting on. Mostly dodgy stuff, if you ask me. But BGP using MD5 to transmit passwords is not a new thing.
I'll update here if the Snort developers pimp slap me for breaking decoder.
We deployed a sensor where it could observe traffic hitting the external interface of a border router. Every BGP packet trips an "Experimental TCP Options" alert.
Now, I could disable that with a config disable_tcpopt_experimental_alerts directive, but maybe I want to watch for really odd stuff? As far as BGP goes, RFC 2385 providing for putting an MD5 hash as a tcp option dates from August 1998, about as old as Snort itself. (http://www.ietf.org/rfc/rfc2385.txt) So is it still appropriate to treat that as experimental and alert on it? As far as I know it's standard for BGP.
I know I can suppress, too. I think it would be better not to work around it.
I changed decode.c as follows:
line 3923 in 2.7 current as of 2007-02-06
From:
case TCPOPT_MD5SIG:
experimental_option_found = 1;
code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG,
&p->tcp_options[opt_count], &byte_skip);
break;
to:
case TCPOPT_MD5SIG:
experimental_option_found = 0;
code = OptLenValidate(option_ptr, end_ptr, len_ptr, TCPOLEN_MD5SIG,
&p->tcp_options[opt_count], &byte_skip);
break;
I tried it out and recompiled, seems to work. That is, it no longer alerted on tcp option 19 (MD5SIG) and did alert on other things. It's possible I broke the decoder alerts, but I doubt it.
I followed the link provided in decoder.c http://www.iana.org/assignments/tcp-parameters
to see if there was anything else I should disable alerting on. Mostly dodgy stuff, if you ask me. But BGP using MD5 to transmit passwords is not a new thing.
I'll update here if the Snort developers pimp slap me for breaking decoder.
posted by JimmytheGeek at 9:41 PM
0 Comments:
Post a Comment
<< Home