[Snort-devel] Duplicate alarms for destination port 80

François Désarménien francois at ...451...
Fri Jun 22 11:25:46 EDT 2001


Hello, you all !

While investigating in Snort alert file, I noticed that for
rules implying port 80 as destination, but not the others,
in the alert file, there's always a shadow line, a few
milliseconds later which is not logged.

Here is an exemple:

06/22-16:35:34.149305  [**] [1:0:0] IDS297/web-misc_http-directory-traversal1 [**] [ snip ] 192.168.20.35:4459 -> 192.168.20.48:80
06/22-16:35:34.149342  [**] [1:0:0] IDS297/web-misc_http-directory-traversal1 [**] [ snip ] 192.168.20.35:4459 -> 192.168.20.48:80

and the packet at 06/22-16:35:34.149305 is logged in the binary
log file, but not the one at 06/22-16:35:34.149342 :

--------------------------------------------------------------------------
06/22-16:35:34.149305 192.168.20.35:4459 -> 192.168.20.48:80
TCP TTL:64 TOS:0x0 ID:9405 IpLen:20 DgmLen:151 DF
***AP*** Seq: 0xC157C080  Ack: 0xBBFA5FA2  Win: 0x3EBC  TcpLen: 32
TCP Options (3) => NOP NOP TS: 11021579 19502985 
0x0000: 00 04 76 1C F1 84 00 50 DA 69 83 59 08 00 45 00  ..v....P.i.Y..E.
0x0010: 00 97 24 BD 40 00 40 06 6C 00 C0 A8 14 23 C0 A8  ..$. at ...300...@.l....#..
0x0020: 14 30 11 6B 00 50 C1 57 C0 80 BB FA 5F A2 80 18  .0.k.P.W...._...
0x0030: 3E BC 50 A1 00 00 01 01 08 0A 00 A8 2D 0B 01 29  >.P.........-..)
0x0040: 97 89 47 45 54 20 2F 6D 73 61 64 63 2F 53 61 6D  ..GET /msadc/Sam
0x0050: 70 6C 65 73 2F 53 45 4C 45 43 54 4F 52 2F 73 68  ples/SELECTOR/sh
0x0060: 6F 77 63 6F 64 65 2E 61 73 70 3F 73 6F 75 72 63  owcode.asp?sourc
0x0070: 65 3D 2F 6D 73 61 64 63 2F 53 61 6D 70 6C 65 73  e=/msadc/Samples
0x0080: 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F  /../../../../../
0x0090: 62 6F 6F 74 2E 69 6E 69 20 48 54 54 50 2F 31 2E  boot.ini HTTP/1.
0x00A0: 30 0D 0A 0D 0A                                   0....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/22-16:35:34.191431 192.168.20.35:4462 -> 192.168.20.48:80
--------------------------------------------------------------------------

The IDS297 rule is :

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS297/web-misc_http-directory-traversal1";
      flags: A+; content: "../"; classtype: system-attempt; reference: arachnids,297;)

I'm using the latest CVS snapshoot, 1.8beta6 (Build 26) on a
Debian Linux 2.2. Pentium 600 on a very low 10baseT local
network dedicated for testing. The behaviour is the same
with 1.8beta4.

The rules and classifications are from whitehats, the attack from nessus.

I wonder if a preprocessor such as stream2 or http_decode could
maybe faultly report the packet twice...what do you think ?

I append my config file, if it can be of any help.

Regards, and thanks for Snort and your time,

François

-- Snort.conf ----------------------------------------------------
var INTERNAL 192.168.20.48/32
var EXTERNAL 192.168.20.35/32

var HOME_NET $INTERNAL
var EXTERNAL_NET $EXTERNAL
var SMTP $INTERNAL
var HTTP_SERVERS $INTERNAL
var SQL_SERVERS $INTERNAL
var DNS_SERVERS $INTERNAL

preprocessor defrag
preprocessor stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
preprocessor http_decode: 80 2301
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $INTERNAL 5 5 portscan
preprocessor portscan-ignorehosts: $INTERNAL

config classification: not-suspicious,policy traffic that is not suspicious,0
config classification: suspicious,suspicious miscellaneous traffic,1
config classification: info-failed,failed information gathering attempt,2
config classification: relay-failed,failed relay attempt,3
config classification: data-failed,failed data integrity attempt,4
config classification: system-failed,failed system integrity attempt,5
config classification: client-failed,failed client integrity attempt,6
config classification: denialofservice,denial of service,7
config classification: info-attempt,information gathering attempt,8
config classification: relay-attempt,relay attempt,9
config classification: data-attempt,data integrity attempt,10
config classification: system-attempt,system integrity attempt,11
config classification: client-attempt,client integrity attempt,12
config classification: data-or-info-attempt,data integrity or information gathering attempt,13
config classification: system-or-info-attempt,system integrity or information gathering attempt,14
config classification: relay-or-info-attempt,relay of information gathering attempt,15
config classification: info-success,successful information gathering attempt,16
config classification: relay-success,successful relay attempt,17
config classification: data-success,successful data integrity attempt,18
config classification: system-success,successful system integrity attempt,19
config classification: client-success,successful client integrity attempt,20

config order: pass activation dynamic alert log

include /etc/snort.d/rules
--------------------------------------------------------------------------




More information about the Snort-devel mailing list