Force10 Networks 100-00055-01 Support for Snorts flow Keyword, Handling Segmentation Evasion

You can inspect Signatures 4, 5, and 6, and verify that they trigger a match and place a packet in Match Memory — thus alerting the host — if three consecutive packets are seen with size between 0 and 100. The third packet references the previous two stored in Temporary Memory. Thus, once the third packet is received, the three segments are presented to the host through the DPI network interface. Notice that the bit pattern used in the two rules avoids collision with the previous rule if the flow hashing also happens to collide.

The meta.rules File

The meta.rules file — located in the pnic-compiler/rulesdirectory — specifies a number of stateful rules to be used with standard Snort rules (which use the Flow keyword). In addition, these rules implement a stateful mechanism to circumvent some common forms of TCP IDS evasion. The meta rules are given in Appendix C, on page 123.

Support for Snort's flow Keyword

The two stateful rules in Table 21 initiate a new flow if a SYN or a SYN-ACKare seen. A Snort flow- established keyword is translated to S:4 and S:2 for client-to-server and server-to-client flows, respectively. These keywords are automatically inserted by the PNIC-Compiler when a flow-established keyword is encountered during compilation. You can also insert the keywords directly into your rules.

Table 21 Flow Established Rules

alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;) alert tcp any any -> any any (msg:"Z SYNACK"; flags:SA; S:1; R:2; C:5;)

Handling Segmentation Evasion

Tools like fragroute or Nessus are used to fragment the packet payload in several TCP segments in order to evade packet-based signature systems. The stateful rules in Table 22 detect the arrival of packets exhibiting an anomalous use of TCP segmentation.