Snort bug related with the "MWM" search algorithm

On October 2003, while I was working on my GCIA practical, David Pérez (also working in his GCIA) and me found a Snort misbehaviour where some alerts could be missed depending on your Snort configuration. On Tuesday, November 4, 2003, the new Snort 2.0.3 version was released trying to solve it. The Snort Change log shows the summary about the bug found: 2003-10-28 Marc Norton * src/sfutil/mwm.c: fixed bug with search-method mwm resulting in retesting removing an active rule on occasion (Thanks to Raul Siles & David Perez for a reproducible test case!)

The goal of this "advisory" is letting everyone know how to apply the Snort proposed workaround so their last Snort version, 2.0.2, could capture all the alerts that are taking place. It is urgent to notify about this fact, because we don't know yet the scope of the problem, but for sure, there are alerts that are being missed.

* TITLE: Snort 2.0.2 misbehaviour: some alerts could be missed !! * DESCRIPTION: This "security advisory" tries to alert about a misbehaviour found in Snort, version 2.0.2 (build 92), that is, the latest stable version available at the Snort homepage. As stated in the Snort man page: "Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture." The problem seems to be in the default detection engine used to process the network traffic against the ruleset. There are some conditions where, if a specific set of rules have been activated through the configuration files, some alerts are not triggered. The misbehaviour can be reproduced with the default Snort configuration. * SOLUTION: As notified by the Snort development team, a new version has been released, 2.0.3, solving this issue. It is recommended to upgrade to the latest Snort version, 2.0.3. If for some reason you cannot updgrade it now, the Snort misbehaviour can be avoided adding the following line into the Snort configuration file, "snort.conf": config detection: search-method ac This directive tells Snort to change its default search algorithm to the "ac" algorithm, using a separate pattern matcher. As stated in the Snort web page, there are two algorithms that can substitute the "mwm" default algorithm, "ac" and "lowmem". *"PROOF OF CONCEPT" (POC) A very simple proof of concept has been placed here. While analyzing some network traffic we have found that a UDP packet, containing a DNS version query, could trigger or NOT the associated alert, id = [1:1616:4], available inside the "dns.rules" files. The problem was observed when analyzing some traffic from the "www.incidents.org/logs/Raw" repository. When the already mentioned DNS version query packet is analyzed by Snort, using the default rule set, its corresponding alert is not triggered neither logged. The default Snort rule set has been debugged to be able to determine the "wrong" rules that discard the packet and make it disappear from the IDS point of view. After some testing we have found a total of 5 Snort rules (1 RPC, 2 DoS, 1 SCAN and 1 DNS) that, when activated, make Snort to discard the mentioned packet, so the expected alert is never logged. To help the Snort development team in reproducing this behaviour, we have created a tar file, "snorttest_nobug.tgz", containing the following files: snorttest/snort.conf.test - simplified snort.conf file used in the tests. snorttest/snort_invocation.sh - command line containing the snort invocation needed to reproduce the problem. snorttest/snort_invocation.out - output obtained from the default command invocation. snorttest/1-rpc.rules - RPC rules affecting the misbehaviour. snorttest/2-dos.rules - DoS rules affecting the misbehaviour. snorttest/1packet - libpcap file containing the UDP packet that triggers the alert. snorttest/1-scan.rules - SCAN rules affecting the misbehaviour. snorttest/the-alert-dns.rules - alert rule that should be triggered with the packet in "1packet" file. snorttest/1-dns.rules - DNS rules affecting the misbehaviour. snorttest/snort_invocation.out.OK - output obtained when the alert is triggered, so the packet is detected. snorttest/snort_invocation.out.BAD - output obtained when the alert is NOT triggered, so the packet is NOT detected. snorttest/snort.conf.no_bug - simplified snort.conf file including the FIX proposed by the Snort development team. snorttest/snort_invocation_nobug.sh - command line containing the snort invocation using the fixed configuration. snorttest/snort_invocation_nobug.out - output obtained from the fixed command invocation. The default configuration included in the tar file shows the wrong behaviour, that is, how Snort doesn't reflect the alert and discards the "evil" packet. To be able to avoid this incorrect behaviour you just need to remove ANY of the 5 rules involved in the config file. If ANY of the "include" lines available in the "snort.conf.test" file is commented out, then the alert is logged and Snort works as expected: # SCAN include ./1-scan.rules # RPC include ./1-rpc.rules # DOS include ./2-dos.rules # DNS include ./1-dns.rules The last "include" line inside the configuration file is used to trigger the alert: # The rule that should be triggered include ./the-alert-dns.rules No preprocessors were activated, in order to simplify the test as much as possible. A new configuration file "snort.conf.no_bug" has been included in the tar file to reproduce the correct behaviour. * PLATFORMS: The misbehaviour has been tested under Red Hat Linux 9.0, 2.4.20-20.9 kernel version, on the Intel (x86) platform. * AGREEMENTS: Chris Green (cmg@sourcefire.com) * AUTHOR(s): Raul Siles (raul@raulsiles.com) David Pérez

Aligned with the Snort development team, we understand it is a must to announce the found misbehaviour to the Internet security community, such as the "intrusions@incidents.org" mailing list (used for the SANS GIAC GCIA practicals) and to the SecurityFocus "Focus-IDS" mailing list (focus-ids@securityfocus.com), as well as other relevant security notification lists. This is the notification made today to the two mentioned lists:

Hi all, **** NEW Snort 2.0.3 version has been released !!!! It is VERY IMPORTANT to upgrade to the new version because your Snort sensors could be missing alerts !!!! If it is not possible for you to upgrade, then change the default search method (mwm) to "ac" or "lowmem": See: "http://www.snort.org/" config detection: search-method lowmem OR config detection: search-method ac The bug afects the default search algorithm, MWM: See: "http://cvs.sourceforge.net/viewcvs.py/snort/snort/ChangeLog?rev=HEAD" 2003-10-28 Marc Norton * src/sfutil/mwm.c: fixed bug with search-method mwm resulting in retesting removing an active rule on occasion (Thanks to Raul Siles & David Perez for a reproducible test case!) The different Snort "config detection: search-method"'s are: - ac: Aho-Corasick based algorithm - mwm: Mu-Wanber based algorithm - lowmem: Save memory, using an less effecient algorithm The implications about all them are summarized in: See: http://marc.theaimsgroup.com/?l=snort-devel&m=103427225029674&w=2 This is an example associated to the binary log files available in "http://www.incidents.org/logs/Raw": $ /opt/snort-2.0.2/src/snort -V -*> Snort! <*- Version 2.0.2 (Build 92) By Martin Roesch (roesch@sourcefire.com, www.snort.org) $ /opt/snort-2.0.3/src/snort -V -*> Snort! <*- Version 2.0.3 (Build 95) By Martin Roesch (roesch@sourcefire.com, www.snort.org) $ /opt/snort-2.0.3/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r 2002.4.23 -k none -A full -qedUX -N Run time for packet processing was 0.195137 seconds $ ll alert -rw------- 1 rsiles rsiles 46984 Nov 6 10:51 alert $ mv alert alert_2.0.3 $ /opt/snort-2.0.2/src/snort -c /opt/snort-2.0.3/etc/snort.conf -l . -r 2002.4.23 -k none -A full -qedUX -N Run time for packet processing was 0.90856 seconds $ ll total 72 -rw------- 1 rsiles rsiles 22510 Nov 6 10:51 alert -rw------- 1 rsiles rsiles 46984 Nov 6 10:51 alert_2.0.3 $ mv alert alert_2.0.2 $ grep -F "[**]" alert_2.0.* | wc -l 186 $ grep -F "[**]" alert_2.0.2 | wc -l 61 $ grep -F "[**]" alert_2.0.3 | wc -l 125 $ As can be seen, using Snort 2.0.2 version "64" alerts are missed compared with Snort version 2.0.3. This time the missed alert is: ---- [**] [1:1616:4] DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/23-00:12:58.764488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x48 210.195.43.76:2090 -> 78.37.49.124:53 UDP TTL:46 TOS:0x0 ID:11129 IpLen:20 DgmLen:58 Len: 30 [Xref => http://www.whitehats.com/info/IDS278][Xref => http://cgi.nessus.org/plugins/dump.php3?id=10028] ---- Regards, Raśl Siles (raul.siles@hp.com)

The only goal of this web page is providing more information about this bug and increasing the security of those computer environments monitored by Snort IDS sensors. We understand that the Snort project philosophy around the free and open-source movement, distributed under the GNU GPL, is aligned with the security full disclosure concept, so in order to increase the security environments monitored by Snort IDS sensors, it would be required to notify the security community about this misbehaviour (Thu Nov 6 11:30:53 CET 2003).