[Snort-sigs] Snort 2.8.6 and gzip decoding functionality not working for me

Jason Wallace jason.r.wallace at ...2420...
Thu May 6 08:37:57 EDT 2010


Matt and Matt,

"Seems strange that port 80 would be in client only by default"

I noticed that in the snort-2.8.6 config a lot of ports were listed in
client only. Is there any guidance you can provide for determining
what ports should be both/client/server? For example 22 is in client.
Does this affect the ability to disregard encrypted traffic with the
ssh preprocessor? I believe that's the case with ssl. How about the
netbios ports listed as client and dcerpc2? I would think that for
preprocessors dedicated to a type of traffic http/ssl/dcerpc2/ftp/dns
that those ports would need to be in "both" to ensure the preprocessor
works correctly. Is this true?

Wally


On Wed, May 5, 2010 at 5:45 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2420...> wrote:
> Hello.  Thanks Matt, that did the trick.  I suppose I need to read up
> on the streams preprocessor now.  Seems strange that port 80 would be
> in client only by default, especially now that gzip decompress is
> possible with snort.
>
> Thanks again.
>
> Cheers.
>
> -L0rd Ch0de1m0r
>
> On Tue, May 4, 2010 at 4:01 PM, Matt Watchinski
> <mwatchinski at ...435...> wrote:
>> Looks like you only have 80 on ports client, remove it from there and
>> add it to both.
>>
>> Something like.
>>
>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
>> yes, track_icmp no
>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>>   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>>    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
>>        161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667
>> 6668 6669 \
>>        7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
>>    ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128
>> 6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \
>>        7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
>> 7919 7920 8000 8008 8028 8080 8180 8888 9999
>> preprocessor stream5_udp: timeout 180
>>
>> Cheers,
>> -matt
>>
>> On Tue, May 4, 2010 at 4:31 PM, L0rd Ch0de1m0rt
>> <l0rdch0de1m0rt at ...2420...> wrote:
>>> Matts, thanks for the responses.  Using the config options that
>>> Watchinski provided yielded the same results as initially described.
>>> Bhagya, I think I have streams enabled; please correct me if I am
>>> wrong:
>>>
>>> # cat /etc/snort/snort.conf | grep -i -A 10 stream
>>> # Target-Based stateful inspection/stream reassembly.  For more
>>> inforation, see README.stream5
>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
>>> yes, track_icmp no
>>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>>>   overlap_limit 10, check_session_hijacking, small_segments 3 bytes
>>> 150, timeout 180, \
>>>   ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136
>>> 137 139 143 110 \
>>>      111 161 445 513 514 691 1220 1433 1521 2100 2301 3128 3306 6665
>>> 6666 6667 6668 6669 \
>>>      7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775
>>> 32776 32777 32778 32779, \
>>>   ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
>>> 7902 7903 7904 7905 \
>>>      7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
>>> preprocessor stream5_udp: timeout 180
>>>
>>> # performance statistics.  For more information, see the Snort Manual,
>>> Configuring Snort - Preprocessors - Performance Monitor
>>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
>>>
>>> # HTTP normalization and anomaly detection.  For more information, see
>>> README.http_inspect
>>> # preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>> compress_depth 20480 decompress_depth 20480
>>> preprocessor http_inspect_server: server default \
>>>   apache_whitespace no \
>>>   ascii no \
>>>
>>> As for pcaps, yes they can be provided but I have looked in to them
>>> myself and have confirmed the behaviour described.  I am concerned
>>> about anonamyzing them since the google javascript data may contain
>>> PII in the URI and/or cookies.  Do you know of a good site that uses
>>> gzip without PII that I can use to test and give you pcaps?
>>>
>>> Thanks again.
>>>
>>> Cheers,
>>>
>>> -L0rd Ch0de1m0rt
>>>
>>> On Tue, May 4, 2010 at 3:18 PM, Bhagya Bantwal <bbantwal at ...435...> wrote:
>>>> Turning on stream reassembly might be useful too.
>>>>
>>>> Do you have a pcap we could look into?
>>>>
>>>>
>>>> -B
>>>>
>>>> On Tue, May 4, 2010 at 3:40 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...3444...0...>
>>>> wrote:
>>>>>
>>>>> Hello.  I am experimenting with snort v2.8.6 and hope to benefit from
>>>>> its gzip decoding capabilities.  However, I have been unsuccessful so
>>>>> far in getting it to work.  I am fetching a javascript file from
>>>>> google and clearly it is encoding it using gzip.  This rule alerts me:
>>>>>
>>>>> alert tcp any any -> any any (msg:"gzip encoding detected from
>>>>> server"; flow:established,from_server; content:"|0d
>>>>> 0a|Content-Encoding: gzip|0d 0a|"; nocase; classtype:attempted-user;
>>>>> sid:3141591; rev:1;)
>>>>>
>>>>> BUT this rule does not alert when it is clearly in the gzip decoded data:
>>>>>
>>>>> alert tcp any any -> any any (msg:"detected on gzip decoded data from
>>>>> Google"; flow:established,from_server; content:"google.isOpera=false";
>>>>> nocase; classtype:attempted-user; sid:3141592; rev:1;)
>>>>>
>>>>> I am using the defaults for the gzip portion of the http_inspect
>>>>> preprocessor and the content trying to be matched
>>>>> (google.isOpera=false) is in the first few hundred bytes of the data.
>>>>> Here is my snort.conf http_inspect details:
>>>>>
>>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>>> preprocessor http_inspect_server: server default \
>>>>>   apache_whitespace no \
>>>>>   ascii no \
>>>>>        bare_byte no \
>>>>>        chunk_length 500000 \
>>>>>   server_flow_depth 0 \
>>>>>   client_flow_depth 0 \
>>>>>   post_depth 65495 \
>>>>>        directory no \
>>>>>        double_decode no \
>>>>>        iis_backslash no \
>>>>>        iis_delimiter no \
>>>>>        iis_unicode no \
>>>>>        multi_slash no \
>>>>>        non_strict \
>>>>>        oversize_dir_length 500 \
>>>>>        ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180
>>>>> 8888 9999 } \
>>>>>        u_encode yes \
>>>>>        non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>>>        webroot no \
>>>>>        extended_response_inspection \
>>>>>        inspect_gzip
>>>>>
>>>>> I configured snort with --enable-zlib before I compiled and I get this
>>>>> on snort startup:
>>>>>
>>>>> Using ZLIB version: 1.2.3.3
>>>>>
>>>>> What am I doing wrong here?  Thanks for any help.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> -L0rd Ch0de1m0rt
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> Snort-sigs mailing list
>>>>> Snort-sigs at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>
>>
>>
>> --
>> Matthew Watchinski
>> Sr. Director Vulnerability Research Team (VRT)
>> Sourcefire, Inc.
>> Office: 410-423-1928
>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list