[Snort-users] Garbage in snort logs

Andreas Östling andreaso at ...236...
Thu Jan 10 07:45:04 EST 2002


On Wednesday 09 January 2002 06.51, Martin Roesch wrote:
> Hi Russell,
>      I made some tweaks to stream4 tonight that will hopefully clear up
> your problem, check out the latest code from cvs if you're interested
> (the SNORT_1_8 branch, not the 1.9-dev code).  This is build 89.  It now
> fills in the Ethernet headers appropriately and is a little tigher in
> how it puts things together, hopefully it'll clear up your problem.  Let
> me know how it goes.
>
>      -Marty

Hello,

I experience the same problems as Russell from time to time.
I was running 1.8.3 (release version), but unfortunately build 89 did not 
solve all problems. The ethernet headers now seem to be correct, but the 
payload is still messed up.

Example:

01/10-15:17:13.659803 0:30:B6:34:4F:4C -> 0:60:70:E:B8:0 type:0x8 len:0x2C2
x.x.x.x:4271 -> 62.70.3.13:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:692
***AP*** Seq: 0x69F23943  Ack: 0x3DE12400  Win: 0x7AEC  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C  GET /scripts/..\
2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72  2/cmd.exe?/c+dir
20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   r r HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....
20 66 72 6F 6D 20 63 63 2E 75 61 62 2E 65 73 20   from cc.uab.es
62 79 20 6B 6C 69 6E 67 6F 6E 2E 75 61 62 2E 65  by klingon.uab.e
73 20 28 41 49 58 20 33 2E 32 2F 55 43 42 20 35  s (AIX 3.2/UCB 5
2E 36 34 2F 34 2E 30 33 29 0D 0A 20 20 20 20 20  .64/4.03)..
20 20 20 20 20 69 64 20 41 41 33 32 34 37 38 3B       id AA32478;
20 54 68 75 2C 20 31 30 20 4A 61 6E 20 32 30 30   Thu, 10 Jan 200
32 20 31 36 3A 30 32 3A 34 38 20 2B 30 31 30 30  2 16:02:48 +0100
0D 0A 52 65 63 65 69 76 65 64 3A 20 66 72 6F 6D  ..Received: from
20 43 4F 4E 56 45 52 53 49 4F 4E 2D 44 41 45 4D   CONVERSION-DAEM
4F 4E 20 62 79 20 63 63 2E 75 61 62 2E 65 73 20  ON by cc.uab.es
28 50 4D 44 46 20 56 35 2E 32 2D 33 32 20 23 31  (PMDF V5.2-32 #1
37 32 31 30 29 0D 0A 20 69 64 20 3C 30 31 4B 43  7210).. id <01KC
57 53 4C 32 58 56 47 57 30 30 30 44 4F 53 40 63  WSL2XVGW000DOS at ...2580...
63 2E 75 61 62 2E 65 73 3E 20 66 6F 72 20 6E 69  c.uab.es> for ni
63 6F 6C 65 40 6B 6C 69 6E 67 6F 6E 2E 75 61 62  cole at ...4522...
2E 65 73 3B 20 54 68 75 2C 0D 0A 20 31 30 20 4A  .es; Thu,.. 10 J
61 6E 20 32 30 30 32 20 31 35 3A 31 37 3A 32 36  an 2002 15:17:26
20 2B 30 31 30 30 20 28 47 4D 54 29 0D 0A 52 65   +0100 (GMT)..Re
...

According to our network session logs, there was indeed a connection from 
x.x.x.x:4271 to 62.70.3.13:80 at that time, but I'm pretty sure it was not a 
request for cmd.exe. The payload after "Connection: close" may be part of the 
correct one. 

I'm running two instances of snort on two different inferfaces under OpenBSD 
3.0-STABLE, with about 300 customized rules.
Snort.conf currently contains the following:

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode

snort -V gives:
-*> Snort! <*-
Version 1.8.3 (Build 89)
By Martin Roesch (roesch at ...1935..., www.snort.org)

This is just a test machine so I'll try to experiment a bit. Any clever 
suggestions about what may be worth trying?
To me it seems like its always those unicode requests that mess things up. 
Could there also be some problem with http_decode?

A quick look tells me that my other Snort boxes did not log the above packet.
One difference I can think of is that the machine logging the packet uses the 
'tag' feature on outgoing cmd.exe requests (among other rules) but the other 
machines does not. Perhaps this has something to do with it? (btw, I strongly 
doubt there was an outgoing request for cmd.exe at all at that time, so the 
cmd.exe part of the packet above is probably from an incoming one, and those 
should not even be logged.)


FYI, this is what it looked like with the release version of 1.8.3:

12/08-17:36:56.021411 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x250
x.x.x.x:1140 -> 207.46.28.135:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:578
***AP*** Seq: 0x6EDF1A08  Ack: 0x176F48  Win: 0x40E8  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
63 30 25 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79  c0%2f../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A  c+dir HTTP/1.0..
48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E  Host: www..Connn
65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D  ection: close...
0A 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73  .nnnection: clos
65 0D 0A 0D 0A 03 05 45 5F 00 03 05 45 5F 00 03  e......E_...E_..
05 55 4E 44 3D 22 69 6D 61 67 65 73 2F 74 69 6C  .UND="images/til
65 73 2E 67 69 66 22 20 42 47 43 4F 4C 4F 52 3D  es.gif" BGCOLOR=
22 23 45 43 44 34 39 38 22 20 54 45 58 54 3D 22  "#ECD498" TEXT="
23 36 36 30 30 30 30 22 20 4C 49 4E 4B 3D 22 23  #660000" LINK="#
36 36 30 30 30 30 22 20 41 4C 49 4E 4B 3D 22 23  660000" ALINK="#
38 38 30 30 30 30 22 20 56 4C 49 4E 4B 3D 22 23  880000" VLINK="#
36 36 30 30 30 30 22 20 4D 41 52 47 49 4E 57 49  660000" MARGINWI
44 54 48 3D 22 34 22 20 54 4F 50 4D 41 52 47 49  DTH="4" TOPMARGI
4E 3D 22 31 30 22 20 4C 45 46 54 4D 41 52 47 49  N="10" LEFTMARGI
4E 3D 22 34 22 3E 3C 41 20 4E 41 4D 45 3D 22 74  N="4"><A NAME="t
6F 70 22 3E 0D 0A 0D 0A 3C 6D 61 70 20 6E 61 6D  op">....<map nam
65 3D 22 6E 65 77 2E 6C 6F 67 6F 22 3E 0D 0A 3C  e="new.logo">..<
61 72 65 61 20 73 68 61 70 65 3D 22 72 65 63 74  area shape="rect
22 20 63 6F 6F 72 64 73 3D 22 38 38 2C 30 2C 31  " coords="88,0,1
35 31 2C 36 30 22 20 68 72 65 66 3D 22 68 74 74  51,60" href="htt
70 3A 2F 2F 77 77 77 2E 73 79 6C 76 69 61 2E 73  p://www.sylvia.s
65 2F 22 20 74 61 72 67 65 74 3D 22 5F 62 6C 61  e/" target="_bla
6E 6B 22 3E 0D 0A 3C 61 72 65 61 20 73 68 61 70  nk">..<area shap
65 3D 22 72 65 63 74 22 20 63 6F 6F 72 64 73 3D  e="rect" coords=
22 39 36 2C 37 30 2C 31 35 36 2C 31 30 37 22 20  "96,70,156,107"
68 72 65 66 3D 22 22 3E 0D 0A 3C 61 72 65 61 20  href="">..<area
73 68 61 70 65 3D 22 64 65 66 61 75 6C 74 22 20  shape="default"
6E 6F 68 72 65 66 3E 0D 0A 3C 2F 6D 61 70 3E 0D  nohref>..</map>.
0A 0D 0A 3C 6D 61 70 20 6E 61 6D 65 3D 22 6E 65  ...<map name="ne
77 2E 6D 65 6E 75 22 3E 0D 0A 3C 61 72 65 61 20  w.menu">..<area
73 68 61 70 65 3D 22 72 0D 0A                    shape="r..


(did build 89 solve your problems, Russell?)


/Andreas





More information about the Snort-users mailing list