[Snort-devel] False Snort Alert [119:31:1] triggering

Gaurav Nagare (gnagare) gnagare at ...3461...
Wed Jun 17 10:25:59 EDT 2015


Hi,
Adding added http_methods { GET POST HEAD PUT CONNECT } should stop the false alert for valid HTTP methods.

For second case, false alerts being generated for some HTTP fragement, we already have a bug in place. The fix will be provided in future release.

Thanks
Gaurav

-----Original Message-----
From: katwell80 at ...3276... [mailto:katwell80 at ...3276...] 
Sent: Wednesday, June 17, 2015 7:05 PM
To: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] False Snort Alert [119:31:1] triggering



Hello

I didn't have it in the config, it was the default config I got installed and there was no http_methods defined I just added http_methods { GET POST HEAD PUT CONNECT } that hopefully will clean some errors but only fix one of the problem. What remains is the alerting at websocket packets and alerting at fragments like
0000000: 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e  64 65 0a Host:.google.de.in my example...


Carter Waxman (cwaxman) <cwaxman at ...3461...> schrieb am 14:30 Mittwoch, 17.Juni 2015:
In your config for preprocessor http_inspect_server, do you have the HEAD
method included in the http_methods option? This rule should trigger iff
the method is not POST, is not GET, and is not in that list.

Thanks,
Carter


On 6/17/15, 4:27 AM, "katwell80 at ...3276..." <katwell80 at ...3276...> wrote:

>Hello
>
>My snort triggers bogus alerts from http preprocessor
>
>Assigned rule:
>alert (msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev: 1;
>metadata: rule-type preproc ;)
>
>It claims, that the HTTP-Request contains unknown methods, however it
>doesn't
>
>A packet that triggered this error shows as following:
>
>00000000: 48 45 41 44 20 2F 76 31  31 2F 32 2F 77 69 6E 64  HEAD
>/v11/2/wind
>00000010: 6F 77 73 75 70 64 61 74  65 2F 72 65 64 69 72 2F
>owsupdate/redir/
>00000020: 76 36 2D 77 69 6E 37 73  70 31 2D 77 75 72 65 64
>v6-win7sp1-wured
>00000030: 69 72 2E 63 61 62 3F 31  35 30 36 31 37 30 37 35
>ir.cab?150617075
>00000040: 33 20 48 54 54 50 2F 31  2E 31 0D 0A 43 6F 6E 6E  3
>HTTP/1.1..Conn
>00000050: 65 63 74 69 6F 6E 3A 20  4B 65 65 70 2D 41 6C 69  ection:
>Keep-Ali
>00000060: 76 65 0D 0A 41 63 63 65  70 74 3A 20 2A 2F 2A 0D  ve..Accept:
>*/*.
>00000070: 0A 55 73 65 72 2D 41 67  65 6E 74 3A 20 57 69 6E  .User-Agent:
>Win
>00000080: 64 6F 77 73 2D 55 70 64  61 74 65 2D 41 67 65 6E
>dows-Update-Agen
>00000090: 74 0D 0A 48 6F 73 74 3A  20 64 73 2E 64 6F 77 6E  t..Host:
>ds.down
>000000A0: 6C 6F 61 64 2E 77 69 6E  64 6F 77 73 75 70 64 61
>load.windowsupda
>000000B0: 74 65 2E 63 6F 6D 0D 0A  0D 0A                   te.com....
>
>This is, by all means, a valid HTTP-Request, isn't it? I wonder what
>makes the preproc startle here
>
>Additionally the alert is triggered on websocket requests, obviously the
>preprocessor fails to wecognize valid websockets.
>
>Furthermore it seems that some of these errors are triggered by
>fragmented packets, as payloads as such appear in snorby
>
>
>0000000: 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e  64 65 0a Host:.google.de.
>With these protocol headers
>
>IP-Header: | ip_hlen: 5 | ip_csum: 23323 | ip_off: 0 | ip_flags: 0 |
>ip_ttl: 63 | ip_proto: 6 | ip_ver: 4 | ip_id: 7195 | ip_tos: 0 | ip_len:
>68 | 
>TCP-Header: | tcp_flags: 24 | tcp_win: 29200 | tcp_ack: 2362165352 |
>tcp_seq: 1888033555 | tcp_csum: 12589 | tcp_urp: 0 | tcp_res: 0 |
>tcp_off: 8 | tcp_dport: 80 | tcp_sport: 56953 |
>
>
>I think, this is not a valid HTTP but a fragment of a valid longer
>request.
>Now it would be great to have a rule that detects violation of the
>HTTP-protocol as malicious code could be used in an attack or DoS,
>however the amount of false positives this rule raises makes it
>completely useless.
>Configuration:
>
>Running in Rule Dump mode
>
>--== Initializing Snort ==--
>Initializing Output Plugins!
>Initializing Preprocessors!
>Initializing Plug-ins!
>Parsing Rules file "/etc/snort/snort-br1.conf"
>PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
>2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088
>8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ]
>PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>PortVar 'SSH_PORTS' defined :  [ 22 ]
>PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>PortVar 'FILE_DATA_PORTS' defined :  [ 20:21 ]
>PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
>Detection:
>Search-Method = AC-Full-Q
>Split Any/Any group = enabled
>Search-Method-Optimizations = enabled
>Maximum pattern length = 20
>Tagged Packet Limit: 256
>Loading dynamic engine
>/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>Loading all dynamic preprocessor libs from
>/usr/local/lib/snort_dynamicpreprocessor/...
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
>done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
>Loading dynamic preprocessor library
>/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
>done
>Finished Loading all dynamic preprocessor libs from
>/usr/local/lib/snort_dynamicpreprocessor/
>Log directory = /var/log/snort/br1
>WARNING: ip4 normalizations disabled because not inline.
>WARNING: tcp normalizations disabled because not inline.
>WARNING: icmp4 normalizations disabled because not inline.
>WARNING: ip6 normalizations disabled because not inline.
>WARNING: icmp6 normalizations disabled because not inline.
>Frag3 global config:
>Max frags: 65536
>Fragment memory cap: 4194304 bytes
>Frag3 engine config:
>Bound Address: default
>Target-based policy: WINDOWS
>Fragment timeout: 180 seconds
>Fragment min_ttl:  1
>Fragment Anomalies: Alert
>Overlap Limit:    10
>Min fragment Length:    100
>Max Expected Streams: 768
>Stream global config:
>Track TCP sessions: ACTIVE
>Max TCP sessions: 262144
>TCP cache pruning timeout: 30 seconds
>TCP cache nominal timeout: 3600 seconds
>Memcap (for reassembly packet storage): 8388608
>Track UDP sessions: ACTIVE
>Max UDP sessions: 131072
>UDP cache pruning timeout: 30 seconds
>UDP cache nominal timeout: 180 seconds
>Track ICMP sessions: INACTIVE
>Track IP sessions: INACTIVE
>Log info if session memory consumption exceeds 1048576
>Send up to 2 active responses
>Wait at least 5 seconds between responses
>Protocol Aware Flushing: ACTIVE
>Maximum Flush Point: 16384
>Stream TCP Policy config:
>Bound Address: default
>Reassembly Policy: WINDOWS
>Timeout: 180 seconds
>Limit on TCP Overlaps: 10
>Maximum number of bytes to queue per session: 1048576
>Maximum number of segs to queue per session: 2621
>Options:
>Require 3-Way Handshake: YES
>3-Way Handshake Timeout: 180
>Detect Anomalies: YES
>Reassembly Ports:
>21 client (Footprint)
>22 client (Footprint)
>23 client (Footprint)
>25 client (Footprint)
>42 client (Footprint)
>53 client (Footprint)
>79 client (Footprint)
>80 client (Footprint) server (Footprint)
>81 client (Footprint) server (Footprint)
>109 client (Footprint)
>110 client (Footprint)
>111 client (Footprint)
>113 client (Footprint)
>119 client (Footprint)
>135 client (Footprint)
>136 client (Footprint)
>137 client (Footprint)
>139 client (Footprint)
>143 client (Footprint)
>161 client (Footprint)
>additional ports configured but not printed.
>Stream UDP Policy config:
>Timeout: 180 seconds
>HttpInspect Config:
>GLOBAL CONFIG
>Detect Proxy Usage:     NO
>IIS Unicode Map Filename: /etc/snort/unicode.map
>IIS Unicode Map Codepage: 1252
>Memcap used for logging URI and Hostname: 150994944
>Max Gzip Memory: 838860
>Max Gzip Sessions: 2723
>Gzip Compress Depth: 65535
>Gzip Decompress Depth: 65535
>DEFAULT SERVER CONFIG:
>Server profile: All
>Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128
>3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>8243 8280 8888 9090 9091 9443 9999 11371
>Server Flow Depth: 0
>Client Flow Depth: 0
>Max Chunk Length: 500000
>Max Header Field Length: 1500
>Max Number Header Fields: 100
>Max Number of WhiteSpaces allowed with header folding: 200
>Inspect Pipeline Requests: YES
>URI Discovery Strict Mode: NO
>Allow Proxy Usage: NO
>Disable Alerting: NO
>Oversize Dir Length: 1000
>Only inspect URI: NO
>Normalize HTTP Headers: NO
>Inspect HTTP Cookies: YES
>Inspect HTTP Responses: YES
>Extract Gzip from responses: YES
>Decompress response files:
>Unlimited decompression of gzip data from responses: YES
>Normalize Javascripts in HTTP Responses: NO
>Normalize HTTP Cookies: NO
>Enable XFF and True Client IP: NO
>Log HTTP URI data: NO
>Log HTTP Hostname data: NO
>Extended ASCII code support in URI: NO
>Ascii: YES alert: NO
>Double Decoding: YES alert: NO
>%U Encoding: YES alert: YES
>Bare Byte: YES alert: NO
>UTF 8: YES alert: NO
>IIS Unicode: YES alert: NO
>Multiple Slash: YES alert: NO
>IIS Backslash: YES alert: NO
>Directory Traversal: YES alert: NO
>Web Root Traversal: YES alert: NO
>Apache WhiteSpace: YES alert: NO
>IIS Delimiter: YES alert: NO
>IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
>Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>rpc_decode arguments:
>Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
>32777 32778 32779 
>alert_fragments: INACTIVE
>alert_large_fragments: INACTIVE
>alert_incomplete: INACTIVE
>alert_multiple_requests: INACTIVE
>Portscan Detection Config:
>Detect Protocols:  TCP UDP ICMP IP
>Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
>Sensitivity Level: Low
>Memcap (in bytes): 10000000
>Number of Nodes:  21598
>Dumping dynamic rules...
>Finished dumping dynamic rules.
>Snort exiting
>
>root at ...3583...:~# snort --version
>
>,,_    -*> Snort! <*-
>o"  )~  Version 2.9.7.3 GRE (Build 217)
>''''   By Martin Roesch & The Snort Team:
>http://www.snort.org/contact#team
>Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
>Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>Using libpcap version 1.1.1
>Using PCRE version: 8.12 2011-01-15
>Using ZLIB version: 1.2.3.4
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>Archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
>Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list