The Stream preprocessor is a target-based TCP reassembly module for Snort. It is capable of tracking sessions for both TCP and UDP.
TCP sessions are identified via the classic TCP ;SPMquot;connection;SPMquot;. UDP sessions are established as the result of a series of UDP packets from two end points via the same set of ports. ICMP messages are tracked for the purposes of checking for unreachable and service unavailable messages, which effectively terminate a TCP or UDP session.
Stream, like Frag3, introduces target-based actions for handling of overlapping data and other TCP anomalies. The methods for handling overlapping data, TCP Timestamps, Data on SYN, FIN and Reset sequence numbers, etc. and the policies supported by Stream are the results of extensive research with many target operating systems.
Stream supports the modified Stream API that is now focused on functions specific to reassembly and protocol aware flushing operations. Session management functions have been moved to the Session API. The remaining API functions enable other protocol normalizers/preprocessors to dynamically configure reassembly behavior as required by the application layer protocol.
TCP protocol anomalies, such as data on SYN packets, data received outside the TCP window, etc are configured via the detect_anomalies option to the TCP configuration. Some of these anomalies are detected on a per-target basis. For example, a few operating systems allow data in TCP SYN packets, while others do not.
Protocol aware flushing of HTTP, SMB and DCE/RPC can be enabled with this option:
verbatim252#
where ;SPMlt;max-pdu;SPMgt; is between zero (off) and 63780. This allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation. For example, multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments will be reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets.
Provides a means on a per IP address target to configure TCP policy. This can have multiple occurrences, per policy that is bound to an IP address or network. One default policy must be specified, and that policy is not bound to an IP address or network.
verbatim253#
| Option | Description | ;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| bind_to ;SPMlt;ip_addr;SPMgt; | IP address or network for this policy. The default is set to any. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| timeout ;SPMlt;num seconds;SPMgt; | Session timeout. The default is ;SPMquot;30;SPMquot;, the minimum is ;SPMquot;1;SPMquot;, and the maximum is ;SPMquot;86400;SPMquot; (approximately 1 day). |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| policy ;SPMlt;policy_id;SPMgt; | The Operating System policy for the target OS. The policy_id can be one of the following:
|
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| overlap_limit ;SPMlt;number;SPMgt; | Limits the number of overlapping packets per session. The default is ;SPMquot;0;SPMquot; (unlimited), the minimum is ;SPMquot;0;SPMquot;, and the maximum is ;SPMquot;255;SPMquot;. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| max_window ;SPMlt;number;SPMgt; | Maximum TCP window allowed. The default is ;SPMquot;0;SPMquot; (unlimited), the minimum is ;SPMquot;0;SPMquot;, and the maximum is ;SPMquot;1073725440;SPMquot; (65535 left shift 14). That is the highest possible TCP window per RFCs. This option is intended to prevent a DoS against Stream by an attacker using an abnormally large window, so using a value near the maximum is discouraged. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| require_3whs [;SPMlt;number seconds;SPMgt;] | Establish sessions only on completion of a SYN/SYN-ACK/ACK handshake. The default is set to off. The optional number of seconds specifies a startup timeout. This allows a grace period for existing sessions to be considered established during that interval immediately after Snort is started. The default is ;SPMquot;0;SPMquot; (don't consider existing sessions established), the minimum is ;SPMquot;0;SPMquot;, and the maximum is ;SPMquot;86400;SPMquot; (approximately 1 day). |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| detect_anomalies | Detect and alert on TCP protocol anomalies. The default is set to off. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| check_session_hijacking | Check for TCP session hijacking. This check validates the hardware (MAC) address from both sides of the connect -- as established on the 3-way handshake against subsequent packets received on the session. If an ethernet layer is not part of the protocol stack received by Snort, there are no checks performed. Alerts are generated (per 'detect_anomalies' option) for either the client or server when the MAC address for one side or the other does not match. The default is set to off. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| use_static_footprint_sizes | Use static values for determining when to build a reassembled packet to allow for repeatable tests. This option should not be used production environments. The default is set to off. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| dont_store_large_packets | Performance improvement to not queue large packets in reassembly buffer. The default is set to off. Using this option may result in missed attacks. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| dont_reassemble_async | Don't queue packets for reassembly if traffic has not been seen in both directions. The default is set to queue packets. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| max_queued_bytes ;SPMlt;bytes;SPMgt; | Limit the number of bytes queued for reassembly on a given TCP session to bytes. Default is ;SPMquot;1048576;SPMquot; (1MB). A value of ;SPMquot;0;SPMquot; means unlimited, with a non-zero minimum of ;SPMquot;1024;SPMquot;, and a maximum of ;SPMquot;1073741824;SPMquot; (1GB). A message is written to console/syslog when this limit is enforced. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| max_queued_segs ;SPMlt;num;SPMgt; | Limit the number of segments queued for reassembly on a given TCP session. The default is ;SPMquot;2621;SPMquot;, derived based on an average size of 400 bytes. A value of ;SPMquot;0;SPMquot; means unlimited, with a non-zero minimum of ;SPMquot;2;SPMquot;, and a maximum of ;SPMquot;1073741824;SPMquot; (1GB). A message is written to console/syslog when this limit is enforced. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| small_segments ;SPMlt;number;SPMgt; bytes ;SPMlt;number;SPMgt; [ignore_ports ;SPMlt;number(s);SPMgt; ] | Configure the maximum small segments queued. This feature requires that detect_anomalies be enabled. The first number is the number of consecutive segments that will trigger the detection rule. The default value is ;SPMquot;0;SPMquot; (disabled), with a maximum of ;SPMquot;2048;SPMquot;. The second number is the minimum bytes for a segment to be considered ;SPMquot;small;SPMquot;. The default value is ;SPMquot;0;SPMquot; (disabled), with a maximum of ;SPMquot;2048;SPMquot;. ignore_ports is optional, defines the list of ports in which will be ignored for this rule. The number of ports can be up to ;SPMquot;65535;SPMquot;. A message is written to console/syslog when this limit is enforced. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ports ;SPMlt;client|server|both;SPMgt; ;SPMlt;all|number(s)|!number(s);SPMgt; | Specify the client, server, or both and list of ports in which to perform reassembly. This can appear more than once in a given config. The default settings are ports client 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 514 1433 1521 2401 3306. The minimum port allowed is ;SPMquot;1;SPMquot; and the maximum allowed is ;SPMquot;65535;SPMquot;. To disable reassembly for a port specifiy the port number preceeded by an '!', e.g. !8080 !25 |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| protocol ;SPMlt;client|server|both;SPMgt; ;SPMlt;all|service name(s);SPMgt; |
Specify the client, server, or both and list of services in which to perform
reassembly. This can appear more than once in a given config. The default
settings are ports client ftp telnet smtp nameserver dns http pop3
sunrpc dcerpc netbios-ssn imap login shell mssql oracle cvs mysql. The
service names can be any of those used in the host attribute table (see
#targetbased#930> |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ignore_any_rules | Don't process any -;SPMgt; any (ports) rules for TCP that attempt to match payload if there are no port specific rules for the src or destination port. Rules that have flow or flowbits will never be ignored. This is a performance improvement and may result in missed attacks. Using this does not affect rules that look at protocol headers, only those with content, PCRE, or byte test options. The default is ;SPMquot;off;SPMquot;. This option can be used only in default policy. |
;SPMnbsp; | ;SPMnbsp; | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| flush_factor | Useful in ips mode to flush upon seeing a drop in segment size after N segments of non-decreasing size. The drop in size often indicates an end of request or response. |
;SPMnbsp; | ;SPMnbsp; |
If no options are specified for a given TCP policy, that is the default TCP
policy. If only a bind_to option is used with no other options that TCP
policy uses all of the default values.
Configuration for UDP session tracking. Since there is no target based
binding, there should be only one occurrence of the UDP configuration.
Session timeout. The default is ;SPMquot;30;SPMquot;, the minimum is ;SPMquot;1;SPMquot;, and the maximum is
;SPMquot;86400;SPMquot; (approximately 1 day).
Don't process any -;SPMgt; any (ports) rules for UDP that attempt to match
payload if there are no port specific rules for the src or destination port.
Rules that have flow or flowbits will never be ignored. This is a performance
improvement and may result in missed attacks. Using this does not affect rules
that look at protocol headers, only those with content, PCRE, or byte test
options. The default is ;SPMquot;off;SPMquot;.
With the ignore_any_rules option, a UDP rule will be ignored except when
there is another port specific rule that may be applied to the traffic. For
example, if a UDP rule specifies destination port 53, the 'ignored' any
-;SPMgt; any rule will be applied to traffic to/from port 53, but NOT to any
other source or destination port. A list of rule SIDs affected by this option
are printed at Snort's startup.
With the ignore_any_rules option, if a UDP rule that uses any -;SPMgt; any
ports includes either flow or flowbits, the ignore_any_rules option is
effectively pointless. Because of the potential impact of disabling a flowbits
rule, the ignore_any_rules option will be disabled in this case.
Configuration for ICMP session tracking. Since there is no target based
binding, there should be only one occurrence of the ICMP configuration.
ICMP is currently untested, in minimal code form and is NOT ready for use in
production networks. It is not turned on by default.
Session timeout. The default is ;SPMquot;30;SPMquot;, the minimum is ;SPMquot;1;SPMquot;, and the maximum is
;SPMquot;86400;SPMquot; (approximately 1 day).
Configuration for IP session tracking. Since there is no target based
binding, there should be only one occurrence of the IP configuration.
;SPMquot;IP;SPMquot; includes all non-TCP/UDP traffic over IP including ICMP if ICMP
not otherwise configured. It is not turned on by default.
Session timeout. The default is ;SPMquot;30;SPMquot;, the minimum is ;SPMquot;1;SPMquot;, and the maximum is
;SPMquot;86400;SPMquot; (approximately 1 day).
This example configuration is the default configuration in snort.conf and
can be used for repeatable tests of stream reassembly in readback mode.
This configuration maps two network segments to different OS policies, one for
Windows and one for Linux, with all other traffic going to the default policy
of Solaris.
2.2.3.7 Stream UDP Configuration
Option
Description
;SPMnbsp;
;SPMnbsp;
;SPMnbsp;
timeout ;SPMlt;num seconds;SPMgt;
;SPMnbsp;
;SPMnbsp;
;SPMnbsp;
ignore_any_rules
;SPMnbsp;
;SPMnbsp;
;SPMnbsp;
2.2.3.8 Stream ICMP Configuration
Option
Description
;SPMnbsp;
;SPMnbsp;
;SPMnbsp;
timeout ;SPMlt;num seconds;SPMgt;
;SPMnbsp;
;SPMnbsp;
;SPMnbsp;
2.2.3.9 Stream IP Configuration
Option
Description
;SPMnbsp;
;SPMnbsp;
;SPMnbsp;
timeout ;SPMlt;num seconds;SPMgt;
;SPMnbsp;
;SPMnbsp;
;SPMnbsp;
2.2.3.10 Example Configurations