cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Snort may cause connection failure if certain rules are enabled with rule state "Generate

1374
Views
0
Helpful
0
Comments

Introduction

 

This article aims at addressing a problem wherein snort may cause connection failures without dropping any traffic due to some snort rules

 

Problem

 

Snort cause connection failures for rules with "replace" keyword even if the rule state is set to "Generate Events".

 

Solution

 

The reason is, currently snort does not look at the rule state before enforcing the "replace" action, as a result if a rule state says "generate events", snort will still modify the packet and cause connection failures.

An enhancement request has been opened to change this behavior

https://tools.cisco.com/bugsearch/bug/CSCus41655/?reffering_site=dumpcr

One such example is SID - 24097 to detect Team viewer. Customers would want to enable such signatures to monitor network and not necessarily drop such traffic.

 

List of signatures with replace keyword

 

(1:12031) CONTENT-REPLACE MSN deny in-bound file transfer attempts
(1:12032) CONTENT-REPLACE MSN deny out-bound file transfer attempts
(1:12033) CONTENT-REPLACE Jabber deny in-bound file transfer attempts
(1:12034) CONTENT-REPLACE Jabber deny out-bound file transfer attempts
(1:12035) CONTENT-REPLACE IRC deny in-bound file transfer attempts
(1:12036) CONTENT-REPLACE IRC deny out-bound file transfer attempts
(1:12037) CONTENT-REPLACE AIM deny in-bound file transfer attempts
(1:12038) CONTENT-REPLACE AIM deny out-bound file transfer attempts
(1:12039) CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts
(1:12040) CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts
(1:12041) CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts
(1:12042) CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts
(1:15415) CONTENT-REPLACE AIM or ICQ deny unencrypted login connection
(1:15416) CONTENT-REPLACE ICQ deny http proxy login
(1:15417) CONTENT-REPLACE AIM deny server certificate for encrypted login
(1:15420) CONTENT-REPLACE MSN deny login
(1:15421) CONTENT-REPLACE AIM or ICQ deny login for unencrypted connection
(1:15429) CONTENT-REPLACE Yahoo Messenger deny outbound login attempt
(1:15438) CONTENT-REPLACE QQ 2009 deny udp login
(1:15439) CONTENT-REPLACE QQ 2009 deny tcp login
(1:15440) CONTENT-REPLACE QQ 2008 deny udp login
(1:15441) CONTENT-REPLACE QQ 2009 deny tcp login
(1:15570) CONTENT-REPLACE Google Talk deny login
(1:18469) CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt
(1:24096) APP-DETECT Teamviewer remote connection attempt
(1:24097) APP-DETECT Teamviewer remote connection attempt
(1:24098) APP-DETECT Teamviewer remote connection attempt

 

 Workaround

 

If you want to enable the above rules to only alert and not cause traffic failures, the only workaround available right now is to clone a local rule of the original rule and remove the "replace" keyword and enable this local rule instead of the rule provided by Sourcefire.

 

Please note: Removing the replace keyword may limit the effectiveness of the rule