[Snort-devel] Logging not consistent with violated rule

Randy leganza at ...1541...
Fri Sep 6 03:39:02 EDT 2002


Sometimes - Snort Version 1.9.0beta6 (Build 201) packet logs do not match the 
rule it supposedly violates.  Note the below packets that should have had 
"?open" in uricontent, according to rule 1561, but instead were logged as a 
byte of 1s.  The same for one last packet for "WEB-IIS scripts access", rule 1287.


Runing Red Hat 7.2 all updates applied
Dell 4100 PIII 933Mhz  512memory
2 ea  3com NICs

###
The /etc/rc.d/init.d/snort start-up lines

INTERFACE=eth1

ifconfig eth1 up promisc

case "$1" in
    start)
          echo -n "Starting snort: "
          daemon /usr/local/bin/snort -u snort -g snort -d -D -o -k none \
                  -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf \
                  -m 027 -F /etc/snort/bpf-file -z
          touch /var/lock/subsys/snort
          echo
          ;;

####

from snort.conf

preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts, ttl_limit 0
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode 
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 10 4 portscan.log
preprocessor portscan-ignorehosts: [xxxxxxxxxxxxxxx]

output alert_fast: alert

include /etc/snort/classification.config

include /etc/snort/reference.config

include /etc/snort/pass.rules
include /etc/snort/local.rules

include /etc/snort/bad-traffic.rules
include /etc/snort/exploit.rules
include /etc/snort/scan.rules
include /etc/snort/finger.rules
include /etc/snort/ftp.rules
include /etc/snort/telnet.rules
include /etc/snort/rpc.rules
include /etc/snort/rservices.rules
include /etc/snort/dos.rules
include /etc/snort/ddos.rules
include /etc/snort/dns.rules
include /etc/snort/tftp.rules

include /etc/snort/web-cgi.rules
include /etc/snort/web-coldfusion.rules
include /etc/snort/web-iis.rules
include /etc/snort/web-frontpage.rules
include /etc/snort/web-misc.rules
include /etc/snort/web-client.rules
include /etc/snort/web-php.rules

include /etc/snort/sql.rules
include /etc/snort/x11.rules
include /etc/snort/icmp.rules
#include /etc/snort/netbios.rules
include /etc/snort/misc.rules
include /etc/snort/attack-responses.rules
#include /etc/snort/oracle.rules
include /etc/snort/mysql.rules
include /etc/snort/snmp.rules

include /etc/snort/smtp.rules
include /etc/snort/imap.rules
include /etc/snort/pop3.rules

include /etc/snort/nntp.rules
include /etc/snort/other-ids.rules
include /etc/snort/web-attacks.rules
include /etc/snort/backdoor.rules
# include /etc/snort/shellcode.rules
include /etc/snort/policy.rules
# include /etc/snort/porn.rules
include /etc/snort/info.rules
# include /etc/snort/icmp-info.rules
# include /etc/snort/virus.rules
# include /etc/snort/chat.rules
include /etc/snort/multimedia.rules
include /etc/snort/p2p.rules


#####

Packet logs


[**] WEB-MISC ?open access [**]
09/05-16:54:10.290825 x.x.16.3:18746 -> x.x.35.30:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:41
***AP*** Seq: 0x4B2682FC  Ack: 0x0  Win: 0x0  TcpLen: 20
FF                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-MISC ?open access [**]
09/05-16:54:10.291028 x.x.16.3:18741 -> x.x.35.30:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:41
***AP*** Seq: 0x4B24F116  Ack: 0x0  Win: 0x0  TcpLen: 20
FF                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-MISC ?open access [**]
09/05-16:54:10.294633 x.x.16.3:18739 -> x.x.35.30:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:41
***AP*** Seq: 0x4B244F0A  Ack: 0x0  Win: 0x0  TcpLen: 20
FF                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-MISC ?open access [**]
09/05-16:54:10.290751 x.x.16.3:18718 -> x.x.35.30:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:41
***AP*** Seq: 0x4B2217F7  Ack: 0x0  Win: 0x0  TcpLen: 20
FF                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-MISC ?open access [**]
09/05-16:54:10.297744 x.x.16.3:18715 -> x.x.35.30:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:41
***AP*** Seq: 0x4B211AEA  Ack: 0x0  Win: 0x0  TcpLen: 20
FF                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-MISC ?open access [**]
09/05-16:54:10.295083 x.x.16.3:18713 -> x.x.35.30:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:41
***AP*** Seq: 0x4B2021D2  Ack: 0x0  Win: 0x0  TcpLen: 20
FF                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS scripts access [**]
09/05-16:57:01.355429 x.x.16.3:11912 -> x.x.35.7:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:41
***AP*** Seq: 0x4A3FE328  Ack: 0x0  Win: 0x0  TcpLen: 20
FF                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+






More information about the Snort-devel mailing list