-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathREADME.normalize
216 lines (141 loc) · 6.48 KB
/
README.normalize
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
When operating Snort in inline mode, it is helpful to normalize packets to help
minimize the chances of evasion.
To enable the normalizer, use the following when configuring Snort:
./configure --enable-normalizer
The normalize preprocessor is activated via the conf as outlined below. There
are also many new preprocessor and decoder rules to alert on or drop packets
with "abnormal" encodings.
Note that in the following, fields are cleared only if they are non-zero.
Also, normalizations will only be enabled if the selected DAQ supports packet
replacement and is operating in inline mode.
If a policy is configured for inline_test or passive mode, any normalization
statements in the policy config are ignored.
IP4 Normalizations
==================
IP4 normalizations are enabled with:
preprocessor normalize_ip4: [df], [rf], [tos], [trim]
Base normalizations enabled with "preprocessor normalize_ip4" include:
* TTL normalization if enabled (explained below).
* NOP all options octets.
Optional normalizations include:
* df - don't fragment: clear this bit on incoming packets.
* rf - reserved flag: clear this bit on incoming packets.
* tos - type of service (differentiated services): clear this byte.
* trim - truncate packets with excess payload to the datagram length specified in the
IP header + the layer 2 header (e.g. ethernet), but don't truncate below minimum
frame length. This is automatically disabled if the DAQ can't inject packets.
IP6 Normalizations
==================
IP6 normalizations are enabled with:
preprocessor normalize_ip6
Base normalizations enabled with "preprocessor normalize_ip6" include:
* Hop limit normalization if enabled (explained below).
* NOP all options octets in hop-by-hop and destination options extension
headers.
ICMP4/6 Normalizations
======================
ICMP4 and ICMP6 normalizations are enabled with:
preprocessor normalize_icmp4
preprocessor normalize_icmp6
Base normalizations enabled with the above include:
* Clear the code field in echo requests and replies.
TCP Normalizations
==================
TCP normalizations are enabled with:
preprocessor normalize_tcp: \
[block], [rsv], [pad], \
[req_urg], [req_pay], [req_urp], \
[ips], [urp], [trim], \
[trim_syn], [trim_rst], \
[trim_win], [trim_mss], \
[ecn <ecn_type>], \
[opts [allow <allowed_opt>+]]
<ecn_type> ::= stream | packet
<allowed_opt> ::= \
sack | echo | partial_order | conn_count | alt_checksum | md5 | <num>
<sack> ::= { 4, 5 }
<echo> ::= { 6, 7 }
<partial_order> ::= { 9, 10 }
<conn_count> ::= { 11, 12, 13 }
<alt_checksum> ::= { 14, 15 }
<md5> ::= { 19 }
<num> ::= (3..255)
Normalizations include:
* block: allow packet drops during TCP normalization.
* rsv: clear the reserved bits in the TCP header.
* pad: clear any option padding bytes.
* req_urg: clear the urgent pointer if the urgent flag is not set.
* req_pay: clear the urgent pointer and the urgent flag if there is no payload.
* req_urp: clear the urgent flag if the urgent pointer is not set.
* ips: ensure consistency in retransmitted data (also forces reassembly policy
to "first"). Any segments that can't be properly reassembled will be dropped.
* urp: set the urgent pointer to the payload length if it is greater than the
payload length.
* trim_syn: remove data on SYN.
* trim_rst: remove any data from RST packet.
* trim_win: trim data to window.
* trim_mss: trim data to MSS.
* trim: enable all of the above trim options.
* ecn packet: clear ECN flags on a per packet basis (regardless of
negotiation).
* ecn stream: clear ECN flags if usage wasn't negotiated. Should also enable
require_3whs.
* opts: NOP all option bytes other than maximum segment size, window scaling,
timestamp, and any explicitly allowed with the allow keyword. You can allow
options to pass by name or number.
* opts: if timestamp is present but invalid, or valid but not negotiated, NOP
the timestamp octets.
* opts: if timestamp was negotiated but not present, block the packet.
* opts: clear TS ECR if ACK flag is not set.
* opts: MSS and window scale options are NOP'd if SYN flag is not set.
TTL Normalization
=================
TTL normalization pertains to both IP4 TTL (time-to-live) and IP6 (hop limit)
and is only performed if both the relevant base normalization is enabled (as
described above) and the minimum and new TTL values are configured, as follows:
config min_ttl: <min_ttl>
config new_ttl: <new_ttl>
<min_ttl> ::= (1..255)
<new_ttl> ::= (<min_ttl>+1..255)
If new_ttl > min_ttl, then if a packet is received with a TTL < min_ttl, the
TTL will be set to new_ttl.
Note that this configuration item was deprecated in 2.8.6:
preprocessor stream5_tcp: min_ttl <#>
By default min_ttl = 1 and new_ttl = 0 (TTL normalization is disabled).
New Decoder and Preprocessor Rules
==================================
116,424 Eth cap len < hdr len
116,426 ICMP4 Any: len < min ICMP header
116,416 ICMP4 Echo Request: destination is a broadcast address (255.255.255.255/32)
116,415 ICMP4 Echo Request: destination is a multicast address (224.0.0.0/4)
116,417 ICMP4 Source Quench: to prevent DoS
116,418 ICMP4 other: (Other = all not decoded by Snort)
116,427 ICMP6 Any: len < min ICMP header
116,432 ICMP6 Echo request: destination is a multicast address
116,431 ICMP6 other: (Other = all not decoded by Snort)
116,430 IP4 DF set and offset > 0.
116,409 IP4 Dst addr is current network (0.0.0.0/8)
116,412 IP4 Dst addr is unused/reserved (240.0.0.0/4)
116,414 IP4 Dst addr is broadcast address (255.255.255.255/32)
116,407 IP4 offset + len > 64KB.
116,425 IP4 Len < header len.
116,408 IP4 Src addr is current network (0.0.0.0/8)
116,410 IP4 Src addr is multicast address (224.0.0.0/4)
116,413 IP4 Src addr is broadcast address (255.255.255.255/32)
116,411 IP4 Src addr is unused/reserved (240.0.0.0/4)
129,11 TCP: no control flags set on data for established session
129,3 TCP: Data on closed session
129,8 TCP: Data after RST
116,422 TCP: FIN==1 && ACK==0
116,422 TCP: PUSH==1 && ACK==0
129,15 TCP: RST not in window
116,420 TCP: SYN==1 && FIN==1
129,2 TCP: SYN with data
116,421 TCP: SYN==1 && RST==1
116,423 TCP: SYN==0 && ACK==0 && RST==0
129,1 TCP: SYN on established session
116,422 TCP: URG==1 && ACK==0
116,419 TCP: URG==1 && (dsize==0 || urp > dsize)
129,6 TCP: Window Too large normalize_tcp
129,4 TCP TS option: packet fails PAWS test
129,14 TCP TS option: missing but negotiated in SYN