[Snort-sigs] Snort 2.8.6 and gzip decoding functionality not working for me

Matt Olney molney at ...435...
Thu May 6 08:57:14 EDT 2010


Guys,

In the latest subscriber rulepack, we have a new recommended
configuration.  I'm going to go ahead and attach it here, as the
intent isn't to restrict access to it, its just a by-product of our
rules publishing process.  But as part of that new conf is this
stream5 block:

# Target-Based stateful inspection/stream reassembly.  For more
inforation, see README.stream5
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
yes, track_icmp no
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
        161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667
6668 6669 \
        7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
    ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128
6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \
        7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
7919 7920 8000 8008 8028 8080 8180 8888 9999
preprocessor stream5_udp: timeout 180


Let me know if you have any questions on it,

Matt

On Thu, May 6, 2010 at 8:37 AM, Jason Wallace <jason.r.wallace at ...2420...> wrote:
> Matt and Matt,
>
> "Seems strange that port 80 would be in client only by default"
>
> I noticed that in the snort-2.8.6 config a lot of ports were listed in
> client only. Is there any guidance you can provide for determining
> what ports should be both/client/server? For example 22 is in client.
> Does this affect the ability to disregard encrypted traffic with the
> ssh preprocessor? I believe that's the case with ssl. How about the
> netbios ports listed as client and dcerpc2? I would think that for
> preprocessors dedicated to a type of traffic http/ssl/dcerpc2/ftp/dns
> that those ports would need to be in "both" to ensure the preprocessor
> works correctly. Is this true?
>
> Wally
>
>
> On Wed, May 5, 2010 at 5:45 PM, L0rd Ch0de1m0rt
> <l0rdch0de1m0rt at ...2420...> wrote:
>> Hello.  Thanks Matt, that did the trick.  I suppose I need to read up
>> on the streams preprocessor now.  Seems strange that port 80 would be
>> in client only by default, especially now that gzip decompress is
>> possible with snort.
>>
>> Thanks again.
>>
>> Cheers.
>>
>> -L0rd Ch0de1m0r
>>
>> On Tue, May 4, 2010 at 4:01 PM, Matt Watchinski
>> <mwatchinski at ...435...> wrote:
>>> Looks like you only have 80 on ports client, remove it from there and
>>> add it to both.
>>>
>>> Something like.
>>>
>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
>>> yes, track_icmp no
>>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>>>   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>>>    ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
>>>        161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667
>>> 6668 6669 \
>>>        7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
>>>    ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128
>>> 6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \
>>>        7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
>>> 7919 7920 8000 8008 8028 8080 8180 8888 9999
>>> preprocessor stream5_udp: timeout 180
>>>
>>> Cheers,
>>> -matt
>>>
>>> On Tue, May 4, 2010 at 4:31 PM, L0rd Ch0de1m0rt
>>> <l0rdch0de1m0rt at ...2420...> wrote:
>>>> Matts, thanks for the responses.  Using the config options that
>>>> Watchinski provided yielded the same results as initially described.
>>>> Bhagya, I think I have streams enabled; please correct me if I am
>>>> wrong:
>>>>
>>>> # cat /etc/snort/snort.conf | grep -i -A 10 stream
>>>> # Target-Based stateful inspection/stream reassembly.  For more
>>>> inforation, see README.stream5
>>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
>>>> yes, track_icmp no
>>>> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>>>>   overlap_limit 10, check_session_hijacking, small_segments 3 bytes
>>>> 150, timeout 180, \
>>>>   ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136
>>>> 137 139 143 110 \
>>>>      111 161 445 513 514 691 1220 1433 1521 2100 2301 3128 3306 6665
>>>> 6666 6667 6668 6669 \
>>>>      7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775
>>>> 32776 32777 32778 32779, \
>>>>   ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
>>>> 7902 7903 7904 7905 \
>>>>      7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
>>>> preprocessor stream5_udp: timeout 180
>>>>
>>>> # performance statistics.  For more information, see the Snort Manual,
>>>> Configuring Snort - Preprocessors - Performance Monitor
>>>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
>>>>
>>>> # HTTP normalization and anomaly detection.  For more information, see
>>>> README.http_inspect
>>>> # preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>> compress_depth 20480 decompress_depth 20480
>>>> preprocessor http_inspect_server: server default \
>>>>   apache_whitespace no \
>>>>   ascii no \
>>>>
>>>> As for pcaps, yes they can be provided but I have looked in to them
>>>> myself and have confirmed the behaviour described.  I am concerned
>>>> about anonamyzing them since the google javascript data may contain
>>>> PII in the URI and/or cookies.  Do you know of a good site that uses
>>>> gzip without PII that I can use to test and give you pcaps?
>>>>
>>>> Thanks again.
>>>>
>>>> Cheers,
>>>>
>>>> -L0rd Ch0de1m0rt
>>>>
>>>> On Tue, May 4, 2010 at 3:18 PM, Bhagya Bantwal <bbantwal at ...435...> wrote:
>>>>> Turning on stream reassembly might be useful too.
>>>>>
>>>>> Do you have a pcap we could look into?
>>>>>
>>>>>
>>>>> -B
>>>>>
>>>>> On Tue, May 4, 2010 at 3:40 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...3371...20...>
>>>>> wrote:
>>>>>>
>>>>>> Hello.  I am experimenting with snort v2.8.6 and hope to benefit from
>>>>>> its gzip decoding capabilities.  However, I have been unsuccessful so
>>>>>> far in getting it to work.  I am fetching a javascript file from
>>>>>> google and clearly it is encoding it using gzip.  This rule alerts me:
>>>>>>
>>>>>> alert tcp any any -> any any (msg:"gzip encoding detected from
>>>>>> server"; flow:established,from_server; content:"|0d
>>>>>> 0a|Content-Encoding: gzip|0d 0a|"; nocase; classtype:attempted-user;
>>>>>> sid:3141591; rev:1;)
>>>>>>
>>>>>> BUT this rule does not alert when it is clearly in the gzip decoded data:
>>>>>>
>>>>>> alert tcp any any -> any any (msg:"detected on gzip decoded data from
>>>>>> Google"; flow:established,from_server; content:"google.isOpera=false";
>>>>>> nocase; classtype:attempted-user; sid:3141592; rev:1;)
>>>>>>
>>>>>> I am using the defaults for the gzip portion of the http_inspect
>>>>>> preprocessor and the content trying to be matched
>>>>>> (google.isOpera=false) is in the first few hundred bytes of the data.
>>>>>> Here is my snort.conf http_inspect details:
>>>>>>
>>>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>>>>>> preprocessor http_inspect_server: server default \
>>>>>>   apache_whitespace no \
>>>>>>   ascii no \
>>>>>>        bare_byte no \
>>>>>>        chunk_length 500000 \
>>>>>>   server_flow_depth 0 \
>>>>>>   client_flow_depth 0 \
>>>>>>   post_depth 65495 \
>>>>>>        directory no \
>>>>>>        double_decode no \
>>>>>>        iis_backslash no \
>>>>>>        iis_delimiter no \
>>>>>>        iis_unicode no \
>>>>>>        multi_slash no \
>>>>>>        non_strict \
>>>>>>        oversize_dir_length 500 \
>>>>>>        ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180
>>>>>> 8888 9999 } \
>>>>>>        u_encode yes \
>>>>>>        non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>>>>>>        webroot no \
>>>>>>        extended_response_inspection \
>>>>>>        inspect_gzip
>>>>>>
>>>>>> I configured snort with --enable-zlib before I compiled and I get this
>>>>>> on snort startup:
>>>>>>
>>>>>> Using ZLIB version: 1.2.3.3
>>>>>>
>>>>>> What am I doing wrong here?  Thanks for any help.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> -L0rd Ch0de1m0rt
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> _______________________________________________
>>>>>> Snort-sigs mailing list
>>>>>> Snort-sigs at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>>
>>>
>>>
>>>
>>> --
>>> Matthew Watchinski
>>> Sr. Director Vulnerability Research Team (VRT)
>>> Sourcefire, Inc.
>>> Office: 410-423-1928
>>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 17941 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100506/29a3e50d/attachment.obj>


More information about the Snort-sigs mailing list