[Snort-devel] SWF/PDF Decompression

Simon Wesseldine simon.wesseldine at ...3589...
Fri Dec 18 06:57:38 EST 2015


Thanks Carter for your reply, your answer was in fact right on the money.

I am building from Source, but I had forgotten one important piece of the
jigsaw puzzle. I was originally using the Debian 'Jessy' Operating System,
but had recently replaced it with the Lite version of 'Jessy', which it
appears does not come with the lzma-dev package. I wasn't aware of that.

Peace and calm is now restored:-)

Best regards,
Simon.



-----Original Message-----
From: snort-devel-request at lists.sourceforge.net
[mailto:snort-devel-request at lists.sourceforge.net] 
Sent: 18 December 2015 11:10
To: snort-devel at lists.sourceforge.net
Subject: Snort-devel Digest, Vol 113, Issue 14

Send Snort-devel mailing list submissions to
	snort-devel at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-devel
or, via email, send a message with subject or body 'help' to
	snort-devel-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-devel-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Snort-devel digest..."


Today's Topics:

   1. SWF/PDF Decompression (Simon Wesseldine)
   2. Re: SWF/PDF Decompression (Carter Waxman (cwaxman))
   3. Re: Large Packet Drop with SNort-2.9.80 as compared	to
      Snort-2.9.7.6 (Dheeraj Gupta)


----------------------------------------------------------------------

Message: 1
Date: Thu, 17 Dec 2015 09:18:50 -0000
From: "Simon Wesseldine" <simon.wesseldine at ...3589...>
Subject: [Snort-devel] SWF/PDF Decompression
To: <snort-devel at lists.sourceforge.net>
Message-ID: <002101d138ab$f19a4f40$d4ceedc0$@wesseldine at ...3589...>
Content-Type: text/plain; charset="us-ascii"

Hi,

has anybody else run into problems with version 2.9.8.0 and PDF/SWF
Decompression.

I am getting an error when running a configuration file that contains these
keywords:

 

decompress_swf

decompress_pdf

 

Snort will not load and I get an error pointing to these keywords being
included.

If I remove the keywords, then Snort will load fine.

 

My configuration file was working in the previous version of Snort.

I am using 'extended_response_inspection' as well.

 

Best regards,

Simon.

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Thu, 17 Dec 2015 14:16:28 +0000
From: "Carter Waxman (cwaxman)" <cwaxman at ...3461...>
Subject: Re: [Snort-devel] SWF/PDF Decompression
To: Simon Wesseldine <simon.wesseldine at ...3589...>,
	"snort-devel at lists.sourceforge.net"
	<snort-devel at lists.sourceforge.net>
Message-ID: <D2982D0C.311E0%cwaxman at ...3461...>
Content-Type: text/plain; charset="us-ascii"

Hi Simon,

Are you installing from source or an rpm? You need to have the LZMA
development libraries on your system when building to use these options
(usually packaged as lzma-dev or lzma-devel).

Thanks,
Carter

From: Simon Wesseldine
<simon.wesseldine at ...3589...<mailto:simon.wesseldine at ...3589...>>
Date: Thursday, December 17, 2015 at 4:18 AM
To:
"snort-devel at lists.sourceforge.net<mailto:snort-devel at lists.sourceforge.net>
"
<snort-devel at lists.sourceforge.net<mailto:snort-devel at lists.sourceforge.net>
>
Subject: [Snort-devel] SWF/PDF Decompression

Hi,
has anybody else run into problems with version 2.9.8.0 and PDF/SWF
Decompression.
I am getting an error when running a configuration file that contains these
keywords:

decompress_swf
decompress_pdf

Snort will not load and I get an error pointing to these keywords being
included.
If I remove the keywords, then Snort will load fine.

My configuration file was working in the previous version of Snort.
I am using 'extended_response_inspection' as well.

Best regards,
Simon.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Fri, 18 Dec 2015 16:39:59 +0530
From: Dheeraj Gupta <dheeraj.gupta4 at ...2499...>
Subject: Re: [Snort-devel] Large Packet Drop with SNort-2.9.80 as
	compared	to Snort-2.9.7.6
To: "Nageswara Rao A.V.K (navk)" <navk at ...3461...>
Cc: "snort-devel at lists.sourceforge.net"
	<snort-devel at lists.sourceforge.net>
Message-ID:
	<CAOsL98NQVvw7CBqnktXbD0uVe+0e1vWcx0GHaFeoiF-9rmchYA at ...2500...>
Content-Type: text/plain; charset="utf-8"

Hi,

I am also confused about the drop count. This is what I got after a separate
brief snort run (on a different machine)

============================================================================
===
Run time for packet processing was 497.799669 seconds Snort processed
7139620 packets.
Snort ran for 0 days 0 hours 8 minutes 17 seconds
   Pkts/min:       892452
   Pkts/sec:        14365

============================================================================
===
Packet I/O Totals:
   Received:     14977160
   Analyzed:      7139620 ( 47.670%)
    Dropped:     11666105 ( 43.786%)
   Filtered:      7046472 ( 47.048%)
Outstanding:       791068 (  5.282%)
   Injected:            0
============================================================================
===

The totals and percentages do not tally. Can someone explain how filtered,
received, analyzed and dropped numbers should be interpreted?

Regards,
Dheeraj

On Thu, Dec 17, 2015 at 11:46 AM, Dheeraj Gupta <dheeraj.gupta4 at ...2499...>
wrote:

> Hi,
>
> The test was run for the same PCAP so number of packets is same in 
> both cases (9220233). The packet I/O totals as output by two snorts are:
>
> Snort-2.9.8.0
> ------------------------
>
> ======================================================================
> ========= Run time for packet processing was 783.512468 seconds Snort 
> processed 9220233 packets.
> Snort ran for 0 days 0 hours 13 minutes 3 seconds
>    Pkts/min:       709248
>    Pkts/sec:        11775
>
> ======================================================================
> =========
>
> ======================================================================
> =========
> Packet I/O Totals:
>    Received:      9220233
>    Analyzed:      9220233 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> ======================================================================
> =========
>
>
> Snort-2.9.7.6
> -----------------------
>
>
> ======================================================================
> ========= Run time for packet processing was 547.131014 seconds Snort 
> processed 9220233 packets.
> Snort ran for 0 days 0 hours 9 minutes 7 seconds
>    Pkts/min:      1024470
>    Pkts/sec:        16856
>
> ======================================================================
> =========
>
> ======================================================================
> =========
> Packet I/O Totals:
>    Received:      9220233
>    Analyzed:      9220233 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> ======================================================================
> =========
>
> Again as the test is against a static PCAP, there will be no drops.
> However, in this test Snort-2.9.8.0 is almost 30% slower (processes 
> about 11.7K pkts/s as against 16.8K pkts/s) than Snort-2.9.7.6. When 
> used with live traffic, wouldn't this cause increased packet drops?
>
> Regards,
> Dheeraj
>
> On Wed, Dec 16, 2015 at 8:02 PM, Nageswara Rao A.V.K (navk) < 
> navk at ...3461...> wrote:
>
>> You did not provide ?Packet I/O Totals:? for this test.
>>
>> We have to compare that data.
>>
>>
>>
>> I don?t think previous stats will applicable here.
>>
>> Because the number of pkts are different here.
>>
>>
>>
>> Best Regards,
>>
>> -ANR
>>
>>
>>
>> *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 at ...2499...]
>> *Sent:* Wednesday, December 16, 2015 5:16 PM
>> *To:* Nageswara Rao A.V.K (navk)
>> *Cc:* snort-devel at lists.sourceforge.net
>> *Subject:* Re: [Snort-devel] Large Packet Drop with SNort-2.9.80 as 
>> compared to Snort-2.9.7.6
>>
>>
>>
>> Hi,
>>
>> I captured a large PCAP (6.6G ~9M packets) and analyzed it through 
>> both
>> Snort-2.9.7.6 and 2.9.8.0 with almost identical configuration file 
>> (memcap etc.). Since SO rules for Snort-2.9.7.6 cannot be used with 
>> 2.9.8.0, so number of rules for 2.9.8.0 was less (about 11k) as 
>> compared to 2.9.7.6 (12k).
>>
>> Here is a summary of end of run stats
>>
>> Snort-2.9.7.6
>>
>>
>> =====================================================================
>> ========== Run time for packet processing was 547.131014 seconds 
>> Snort processed 9220233 packets.
>> Snort ran for 0 days 0 hours 9 minutes 7 seconds
>>    Pkts/min:      1024470
>>    Pkts/sec:        16856
>>
>> =====================================================================
>> ==========
>>
>> Snort-2.9.8.0
>>
>> =====================================================================
>> ========== Run time for packet processing was 783.512468 seconds 
>> Snort processed 9220233 packets.
>> Snort ran for 0 days 0 hours 13 minutes 3 seconds
>>    Pkts/min:       709248
>>    Pkts/sec:        11775
>>
>> =====================================================================
>> ==========
>>
>> snort.conf is attached
>>
>>
>>
>> On Tue, Dec 15, 2015 at 10:03 AM, Dheeraj Gupta 
>> <dheeraj.gupta4 at ...2499...>
>> wrote:
>>
>> Hi,
>>
>> The traffic is captured from a live interface, so it is not exactly same.
>> However, it is from the same network and same network filter over a 
>> contiguous time range. So, characteristics of the trafic are broadly 
>> the same i.e. most of it is user browsing data. The reason I wrote 
>> this e-mail is because on a weekday, we have an average 100-150 Mbps 
>> on the wire and
>> Snort-2.9.7.6 reported less losses (<10%). However, Snort-2.9.8.0 
>> reported over 40% drops with comparable traffic load/pattern.
>>
>> Snort logs do not have any additional entry apart from session pruned 
>> due to timeout/stale (same in both cases).
>>
>> Regards,
>>
>> Dheeraj
>>
>>
>>
>> On Tue, Dec 15, 2015 at 8:43 AM, Nageswara Rao A.V.K (navk) < 
>> navk at ...3461...> wrote:
>>
>> Hi Dheeraj,
>>
>>    We need more info to get in to conclusion.
>>
>>
>>
>> Are you passing same traffic in both scenario?s??
>>
>>
>>
>> Did you verify snort logs ??
>>
>> You may know the reason for pkt drops.
>>
>>
>>
>> We did not notice this problems in our observation.
>>
>> More details may help us to analyze the problem.
>>
>>
>>
>> Best Regards,
>>
>> -ANR
>>
>>
>>
>> *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 at ...2499...]
>> *Sent:* Monday, December 14, 2015 11:30 AM
>> *To:* snort-devel at lists.sourceforge.net
>> *Subject:* [Snort-devel] Large Packet Drop with SNort-2.9.80 as 
>> compared to Snort-2.9.7.6
>>
>>
>>
>> Hi,
>>
>> I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the 
>> upgrade one of my sensors showed (somewhat expected) packet drops. 
>> However, after the upgrade the packet drop increased significantly 
>> even though the number of rules decreased (as SO rules are not in use 
>> with 2.9.8.0). I am still using Snort-2.9.7.6 rulesets (as advised by
you).
>>
>> Here is a snip from my snort.stats file for 2.9.8.0
>>
>> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
>> 1450068900,33.873,124.415
>> 1450069200,23.718,121.253
>> 1450069500,26.014,120.349
>> 1450069800,26.368,120.821
>> 1450070100,23.706,116.493
>> 1450070400,21.039,121.363
>>
>> For Snort-2.9.7.6, the snip is
>> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
>> 1450071180,0.000,79.159
>> 1450071480,0.000,118.671
>> 1450071780,2.146,132.186
>> 1450072080,8.337,130.408
>>
>>
>>
>> Looking at end-of-snort stats. This is for 2.9.8.0
>>
>> Packet I/O Totals:
>>    Received:    804563792
>>    Analyzed:    388361098 ( 48.270%)
>>     Dropped:    298207658 ( 27.042%)
>>    Filtered:    415840607 ( 51.685%)
>>    Outstanding:       362087 (  0.045%)
>>    Injected:            0
>>
>> And this is for 2.9.7.6
>>
>> Packet I/O Totals:
>>    Received:     60969886
>>    Analyzed:     30035104 ( 49.262%)
>>     Dropped:       742645 (  1.203%)
>>    Filtered:     30927585 ( 50.726%)
>>    Outstanding:         7197 (  0.012%)
>>    Injected:            0
>>
>> I have a longish BPF filter, so is the filtered count an indication 
>> of the amount of traffic which was filtered by that filter?
>>
>> Also is dropped count a subset of analyzed count or received count? I 
>> ask this because it appears
>>
>> received_count = analyzed + filtered
>>
>> so dropped_count doesn't really fit in
>>
>>
>>
>> Regards,
>>
>> Dheeraj
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

----------------------------------------------------------------------------
--


------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel


End of Snort-devel Digest, Vol 113, Issue 14
********************************************





More information about the Snort-devel mailing list