[Snort-sigs] stream4

Giles Coochey g.coochey at ...138...
Sun Sep 30 22:02:01 EDT 2001

Hi Marcus,

I am no expert with snort (yet), but on UNIX this may be possible by forcing
the interface you are listening on out of promiscuous mode after Snort has
been started. I'm not sure whether it would work, but the idea is that snort
will only get passed traffic destined to your PC.

Another option is to use a switch, instead of a hub. Depending on your role
in the Network that your host is on this may or may not be easy the network
topology may also be an issue. Switches have got pretty cheap over recent
years and some low feature models can now be purchased for under $100. The
Netgear FS108 comes to mind. This works by only sending traffic to the MAC
address of the host present on a given port, and would also act as a filter.
This solution will also be Operating System Independent, which is probably
my best advice to you as you are a Win32 user. (It would also improve
network performance by taking you out of a CSMA/CD domain).

Another possibility, if you were using Linux, would be to use iptables, or
perhaps another firewall product (for Windows). This would work along the
same lines... filtering out traffic which isn't destined for your host,
before the snort pre-processor got a look at it. Obviously this assumes that
your host is not also acting as a gateway...

Also... what is your $HOME_NET set to? I'm not sure this does affect the
stream4 pre-processor, and agree that it would be nice to be able to filter
these out, I've had similar problems with spp_portscan... and hope that a
feature may be introduced where we can be more selective on what generates
alerts at the pre-processor level. I'm concentrating on getting snortsnarf
working good so that all the data can be sorted and placed on a web site...
I'm hoping this will reduce the amount of time I spend browsing through the
alert files.

Hope this has been some help, and I hope I'm not out of place submitting
this to the list as well as to Marcus.



-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Marcus
Sent: 01 October 2001 05:02
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] stream4

I've got an issue with the stream4 preprocessor and the area I'm trying
to monitor.  I just want snort to report on network activity to/from the
computer it's running on, and I'm able to do that for the regular rules,
but the preprocessors (most annoyingly stream4) are bothering me with
traffic that doesn't concern me (i.e. it's from and to ip addresses that
are from other devices on the LAN, and are neither to nor from me).  Is
there a way to have stream4 only alert me of traffic to/from me?  I
tried putting noalerts in stream4_reassemble so I wouldn't get any
alerts from stream4 at all, but it still kept sending me alerts.
Particularly annoying is that it reports "spp_stream4: STEALTH ACTIVITY
(Vecna scan) detection" frequently whenever anybody on my LAN who is
using the fasttrak/kazaa/morpheus filesharing service gets connected to
by another fasttrak/kazaa/morpheus client (incidentally, this particular
service only connects port 1214, which could be useful for keeping snort
from alerting me whenever I'm using one of these services).  So is there
any way to only be bothered by attacks on me, not attacks to anywhere on
my LAN?  I don't want to disable alerts from other computers on my LAN
to me, only alerts that don't involve me at all.  I've tried running it
with promiscuous node turned off, but then it didn't detect anything at
all, and snort never used any cpu.

I'm using snort 1.8.1b79 win32 static with the default ruleset, somewhat
modified.  I'm launching it with idscenter 1.08d, the commandline is
C:\Stuff\Snort\snort.exe -c C:\Stuff\Snort\snort.conf -l
C:\Stuff\Snort\logs -N -A full -h myipremoved/32 -i 1 -o -G url
My stream4 related settings are
preprocessor stream4: detect_scans,memcap 33554432
preprocessor stream4_reassemble: clientonly,ports 21 23 25 63 80 143 110
111 513 9874 9875 9876 9877

Help would be greatly appreciated.


Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list