Tracking Flaws – Stream Reassembly Issues In Snort Ips presented at ShmooCon 2011

by Ashley Thomas,

Tags: Security Analysis


Summary : TCP Stream reassembly is a core function that is required for robust IPS and IDS systems. Snort's stream reassembly implementation (Stream5) has certain flaws that limit the protection capabilities. In this paper we conduct a detailed analysis of the state tracking and stream reassembly functionality of the open source IPS/IDS - Snort - with a focus on prevention capabilities. Our work aims to highlight the flaws in order to shed light as well as suggest possible alternative approaches so as to improve the functionality. Various tests are conducted and the results are discussed in details to demonstrate the issues.

Ashley Thomas: Ashley Thomas is a member of iSensor IPS architecture team at SecureWorks where he contributes to the research and development of the core modules of the Intrusion Prevention System. Prior to SecureWorks, he was part of the Georgia Tech Information Security group where he conducted leading research in Intrusion Detection and Network Processors. He has also published papers in recognized information security conferences including IAS (Information Assurance and Security) 2010, RAID (Recent Advances in Intrusion Detection) 2002 and NP3 (Workshop on Network Processors & Applications) 2004. Ashley has a Masters Degree in Computing from North Carolina State University with a thesis in adaptive and self-reconfiguring Intrusion Detection Systems. He also holds the SANS GCIA (GOLD), SANS GSSP-C, and CISSP certifications.