[Snort-users] Snort Alert description

Michael Pickert Michael.Pickert at ...2435...
Fri Jan 11 00:56:04 EST 2002


HI,

is there a place where I can find a complete description of all snort
alerts? I running snort since 6 months or so, but its still often hard
to find out what an alert means, because I`m in business for just a
year. every help would me great!

thanks

Michael Pickert
IT SEMIKRON
m.pickert at ...2435...

>>> snort-users-request at lists.sourceforge.net 10.01.02 22:56:05 >>>
Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net 

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users 
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net 

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Newbie question Snort and Demarc (SkatFiend at ...661...)
   2. Snort Packet Stats (Matt Jonkman)
   3. Re: Garbage in snort logs (Russell Fulton)
   4. Re: Can I 'nice' snort process? (Frank)
   5. Re: 158 Meg snort? (Frank)
   6. Re: Snort core dumped (fwd) (Martin Roesch)
   7. immortal_28 at ...125... (immortal_28 at ...125...)
   8. Re: Newbie question Snort and Demarc (Frank)
   9. RE: Can I 'nice' snort process? (Saad Kadhi)
  10. Re: Snort Packet Stats (Martin Roesch)
  11. Re: Garbage in snort logs (Frank)
  12. Re: Snort Packet Stats (Ashley Thomas)
  13. Re: Re: Garbage in snort logs (Martin Roesch)

--__--__--

Message: 1
From: SkatFiend at ...661... 
Date: Thu, 10 Jan 2002 15:14:26 EST
To: snort-users at lists.sourceforge.net 
Subject: [Snort-users] Newbie question Snort and Demarc


--part1_12e.a9f292a.296f5022_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Hi everyone,

I just installed Demarc and mysql and a Win2K box the other day.
Everything 
seems to be fine except for one major item. When snort starts it is not

loading any rule sets. I used the snort.conf file from another box that
has 
Snort + ACID with minor adjustments. Each time I start Demarc it
appears to 
overwrite and rems out the "include" statements for the rules files. So
snort 
starts correctly, parses the snort.conf file correctly but rules are
read. 
Can anyone please tell me how this works?????

Thanks in advance.

Cliff

--part1_12e.a9f292a.296f5022_boundary
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

<HTML><FONT FACE=arial,helvetica><FONT  SIZE=2 FAMILY="SANSSERIF"
FACE="Arial" LANG="0">Hi everyone,<BR>
<BR>
I just installed Demarc and mysql and a Win2K box the other day.
Everything seems to be fine except for one major item. When snort starts
it is not loading any rule sets. I used the snort.conf file from another
box that has Snort + ACID with minor adjustments. Each time I start
Demarc it appears to overwrite and rems out the "include" statements for
the rules files. So snort starts correctly, parses the snort.conf file
correctly but rules are read. Can anyone please tell me how this
works?????<BR>
<BR>
Thanks in advance.<BR>
<BR>
Cliff</FONT></HTML>

--part1_12e.a9f292a.296f5022_boundary--


--__--__--

Message: 2
From: "Matt Jonkman" <matt at ...4024...>
To: <snort-users at lists.sourceforge.net>
Date: Thu, 10 Jan 2002 14:39:22 -0600
Subject: [Snort-users] Snort Packet Stats

We're working on our own homegrown snort back-end and want to really
concentrate on having detailed live and trending stats for each
sensor.

Is there a way to get the stats that snort dumps when you ^C a
non-daemon
instance when you are running as a daemon? If not is there another
source of
the running stats we can grab and trend?

Thanks

Matt




I.E these stats:

============================================================================
===
Snort analyzed 4444 out of 6034 packets, dropping 1590(26.351%)
packets

Breakdown by protocol:                Action Stats:
    TCP: 2494       (41.332%)         ALERTS: 0
    UDP: 108        (1.790%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 102        (1.690%)
DISCARD: 0          (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults: 0
============================================================================
===
Snort received signal 2, exiting



--__--__--

Message: 3
From: Russell Fulton <R.FULTON at ...3809...>
To: snort-users at lists.sourceforge.net 
Date: 11 Jan 2002 09:43:58 +1300
Subject: [Snort-users] Re: Garbage in snort logs

> From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso at ...236...>
> Hello,
> 
> I experience the same problems as Russell from time to time.
> I was running 1.8.3 (release version), but unfortunately build 89 did
not 
> solve all problems. The ethernet headers now seem to be correct, but
the 
> payload is still messed up.
> 
[ snip ]

> This is just a test machine so I'll try to experiment a bit. Any
clever 
> suggestions about what may be worth trying?
> To me it seems like its always those unicode requests that mess
things up. 
> Could there also be some problem with http_decode?

Agreed.

> 
> (did build 89 solve your problems, Russell?)

no, my experience mirrors yours.  I please I no longer alone I was
starting to think I must have been imagining these problems ;-)

Here is some mail I sent to Marty this morning which has some other
ideas on this problem...

Hi Marty,
        I have just been corresponding with Brennan Bakke
<bbakke at ...4534...>
who reported finding bits of snort rules in logged ICMP packets (on the

security focus incidents list).  I told him about the build 89 fixes
and
suggested that these might fix his problems.  Someone else pointed out
(quite rightly) that the ICMP packets should not go anywhere near the 
stream4 preprocessor!

So I wonder if there is a bug somewhere much lower down in the stack
which is mangling some lenght and causing both these problems.

In my case turning off he stream4 stuff made makes these alerts go
away
but that does *not* necessarily imply that it is the stream4 stuff
that
is causing the problem in the first place. 

Cheers, Russell. 


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand



--__--__--

Message: 4
Date: Thu, 10 Jan 2002 12:35:26 -0800 (PST)
From: Frank <la at ...4425...>
To: snort-users at lists.sourceforge.net 
Subject: Re: [Snort-users] Can I 'nice' snort process?


Have you set your HOME_NET and EXTERNAL_NET variables? If not this is
a
likley source of all the CPU use.

Other strategies:

1. Remove rules that don't apply to your systems. If Windows, remove
UNIX
signatures, etc.
2. Redure the rules that have "any" port number or destination.
3. Reduce the ICMP rules. Do your really need to log all the pings? If
so,
do this on your firewall.

Take a look at the preprocessors, read the docs and make sure you need
all
of them enabled.

I had issues with snort's ram usage growing. I disabled:

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes
16384

And enabled:

preprocessor frag2: 16777216, 10
preprocessor stream4: timeout 10, maxbytes 16384


And the problem was solved.

Frank



On Thu, 10 Jan 2002, Tran, John wrote:

> I'm running snort on one of my web servers as a local IDS (don't ask
me why,
> let's just go along w/ it for now..) and it takes up massive amounts
of CPU
> (40%), which can be expected considering it's a large amount of
traffic.  It
> was suggested to me to run 'nice' on the process to throttle it's CPU
usage,
> but I'm pretty sure throttling snort will cause it to drop a lot of
packets.
> Is this true?



--__--__--

Message: 5
Date: Thu, 10 Jan 2002 12:36:26 -0800 (PST)
From: Frank <la at ...4425...>
To: snort-users at lists.sourceforge.net 
Subject: Re: [Snort-users] 158 Meg snort?

I found the problem. Wrong preprocessors selected:

I disabled:

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes
16384

And enabled:

preprocessor frag2: 16777216, 10
preprocessor stream4: timeout 10, maxbytes 16384


And the problem was solved.

Frank




On Wed, 9 Jan 2002, Frank wrote:
> 
> I've run snort for two days on a very busy sensor. It now shows 158
Meg
> size. When I restart it's 14 meg.
> 
> 
> System info:
> 
> Snort compiled with mysql and snmp support.
> 
> snort -V
> 
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 
> 
> Linux 2.4.7-10smp #1 SMP Thu Sep 6 17:09:31 EDT 2001 i686 unknown



--__--__--

Message: 6
Date: Thu, 10 Jan 2002 15:49:44 -0500
From: Martin Roesch <roesch at ...1935...>
To: Roman Danyliw <rdd at ...241...>
CC: snort-users at lists.sourceforge.net 
Subject: Re: [Snort-users] Snort core dumped (fwd)

Saw it, loved the format of the report *and* the forum, truly. 
Somehow
a patch that we did a while back got messed up and migrated into the
1.8.3 distro (much like ntohs() being added and removed from the ICMP
ID's and sequence numbers about once every 3 months or so.

Anyway, here's the patch:

--- basesnort/decode.h Thu Jan 10 15:47:48 2002
+++ snort/decode.h    Thu Jan 10 12:15:33 2002
@@ -105,7 +105,7 @@
 #define IP_HEADER_LEN           20
 #define TCP_HEADER_LEN          20
 #define UDP_HEADER_LEN          8
-#define ICMP_HEADER_LEN         8
+#define ICMP_HEADER_LEN         4
 
 #define TH_FIN  0x01
 #define TH_SYN  0x02


    -Marty


Roman Danyliw wrote:
> 
> ---------- Forwarded Message ----------
> Date: Thursday, January 10, 2002 1:26 PM +0800
> From: Sinbad <securitymail at ...786...>
> To: bugtraq at ...35... 
> Subject: Snort core dumped
> 
> Run snort:
> # snort -dev host 192.168.0.3 and 192.168.0.1
> 
> Ping 192.168.0.1 from 192.168.0.3 within one data in payload:
> # ping -c 1 -s 1 192.168.0.1
> 
> Snort's output showed below:
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch at ...1935..., www.snort.org)
> 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76
type:0x800
> len:0x2B 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0
IpLen:20
> DgmLen:29 DF Type:8  Code:0  ID:9435   Seq:0  ECHO
> Segmentation fault (core dumped)
> 
> hmm... core dumped!
> 
> while with the '-X' option works well. :)
> 
> Have you ever seen this happened?
> 
> Regards,
> Sinbad
> 
> ---------- End Forwarded Message ----------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console
appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org 


--__--__--

Message: 7
From: "immortal_28 at ...125..." <immortal_28 at ...125...>
To: <Snort-users at lists.sourceforge.net>
Date: Thu, 10 Jan 2002 19:10:31 -0200
Subject: [Snort-users] immortal_28 at ...125... 



--__--__--

Message: 8
Date: Thu, 10 Jan 2002 12:56:42 -0800 (PST)
From: Frank <la at ...4425...>
To: SkatFiend at ...661... 
cc: snort-users at lists.sourceforge.net 
Subject: Re: [Snort-users] Newbie question Snort and Demarc

You need to let Demarc manage the rules. If you edit the snort.conf
outside of Demarc it will overwrite it.

Frank


On Thu, 10 Jan 2002 SkatFiend at ...661... wrote:

> I just installed Demarc and mysql and a Win2K box the other day.
Everything 
> seems to be fine except for one major item. When snort starts it is
not 
> loading any rule sets. I used the snort.conf file from another box
that has 



--__--__--

Message: 9
Subject: RE: [Snort-users] Can I 'nice' snort process?
From: Saad Kadhi <bsdguy at ...4401...>
To: Tom Sevy <tsevy at ...1701...>
Cc: Snort Users <snort-users at lists.sourceforge.net>
Date: 10 Jan 2002 22:08:49 +0100

On Thu, 2002-01-10 at 20:19, Tom Sevy wrote:
> Can you refer me to any guidelines for tuning the Freebsd kernel in
ways
> that would help Snort's performance?
well first thing you should really consider is tune the snort
configuration itself. tweak logging since file i/o cost some cpu. then
enable softupdates on your partitions.it'll speed up some file system
operations a lot. though softupdates is pretty stable, I'd advise you
to
backup the box first thing before enabling it. Next, consider
stripping
down the kernel to the minimum. The smaller the kernel is, the faster
is
your box. Then get a look at:
http://www.daemonnews.org/200108/benchmark.html 
http://www.freebsd.org/handbook/ 

if you are running short of mbufs, rise NMBCLUSTERS & the like (for
the
VM). For a VERY GOOD description of all the tweaking/tuning options a
FreeBSD kernel has & given you have a copy of the source tree, look @:
/usr/src/sys/i386/conf/LINT. each option is explained there. As to
what
pertains to snort itself, ask Marty&crew what snort needs to run
faster.
it is beyond my knowledge (though I suspect fs i/o, fds, ...etc. the
usual suspects!).

HTH

> 
> -----Original Message-----
> From: Saad Kadhi [mailto:bsdguy at ...4401...] 
> Sent: Thursday, January 10, 2002 1:58 PM
> To: Tran, John
> Cc: 'snort-users at lists.sourceforge.net' 
> Subject: Re: [Snort-users] Can I 'nice' snort process?
> 
> 
> On Thu, 2002-01-10 at 19:03, Tran, John wrote:
> > I'm running snort on one of my web servers as a local IDS (don't
ask me
> why,
> > let's just go along w/ it for now..) and it takes up massive
amounts of
> CPU
> > (40%), which can be expected considering it's a large amount of
traffic.
> It
> > was suggested to me to run 'nice' on the process to throttle it's
CPU
> usage,
> > but I'm pretty sure throttling snort will cause it to drop a lot
of
> packets.
> > Is this true?
> yep at least to my field knowledge. But instead of nice-ing, you
could
> log less stuff, tune up your kernel, etc...
> 
> regards.
> 
> -- 
> /Saad --  [bsdguy at ...4401...] 
> [pgp keyid: 35592A6D http://pgp.mit.edu] 
> # buy a geek-in-a-can, point nozzle at technical problem and spray
> # if desesperate degauss your screen. it might solve your pb as well
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> 
-- 
/Saad --  [bsdguy at ...4401...] 
[pgp keyid: 35592A6D http://pgp.mit.edu] 
# buy a geek-in-a-can, point nozzle at technical problem and spray
# if desesperate degauss your screen. it might solve your pb as well



--__--__--

Message: 10
Date: Thu, 10 Jan 2002 16:40:44 -0500
From: Martin Roesch <roesch at ...1935...>
To: Matt Jonkman <matt at ...4024...>
CC: snort-users at lists.sourceforge.net 
Subject: Re: [Snort-users] Snort Packet Stats

Send the snort PID a SIGUSR1 and it'll dump stats to the console
(console mode) or syslog (daemon mode).

     -Marty

Matt Jonkman wrote:
> 
> We're working on our own homegrown snort back-end and want to really
> concentrate on having detailed live and trending stats for each
sensor.
> 
> Is there a way to get the stats that snort dumps when you ^C a
non-daemon
> instance when you are running as a daemon? If not is there another
source of
> the running stats we can grab and trend?
> 
> Thanks
> 
> Matt
> 
> I.E these stats:
> 
>
============================================================================
> ===
> Snort analyzed 4444 out of 6034 packets, dropping 1590(26.351%)
packets
> 
> Breakdown by protocol:                Action Stats:
>     TCP: 2494       (41.332%)         ALERTS: 0
>     UDP: 108        (1.790%)          LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 102        (1.690%)
> DISCARD: 0          (0.000%)
>
============================================================================
> ===
> Fragmentation Stats:
> Fragmented IP Packets: 0          (0.000%)
>     Fragment Trackers: 0
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
>
============================================================================
> ===
> TCP Stream Reassembly Stats:
>         TCP Packets Used: 0          (0.000%)
>          Stream Trackers: 0
>           Stream flushes: 0
>            Segments used: 0
>    Stream4 Memory Faults: 0
>
============================================================================
> ===
> Snort received signal 2, exiting
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console
appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org 


--__--__--

Message: 11
Date: Thu, 10 Jan 2002 13:32:37 -0800 (PST)
From: Frank <la at ...4425...>
To: snort-users at lists.sourceforge.net 
cc: bbakke at ...4534... 
Subject: [Snort-users] Re: Garbage in snort logs

I'm having the same problem with ICMP in 1.8.3:


A snippet:

R)d..>e.n.f...g.P.g...h.2.i...j...k...l...m...n..qo...p .Zq..fr
.:s.iFt
..u../v ..v.h.x }.x.J.y _.z.,.{.{.|...}.].~...
................................................................................
....................................................................PDT.PST.PWT.PP
T.................$.............PST.....(.......PWT.............PPT.....H.......X
.......http_decode.....h... at ...4535...$ream2.........
....}..0.......spade........... at ...4536...`...x...
....spade-stats..




On 11 Jan 2002, Russell Fulton wrote:

> Here is some mail I sent to Marty this morning which has some other
> ideas on this problem...
> 
> Hi Marty,
>         I have just been corresponding with Brennan Bakke
> <bbakke at ...4534...>
> who reported finding bits of snort rules in logged ICMP packets (on
the 
> security focus incidents list).  I told him about the build 89 fixes
and
> suggested that these might fix his problems.  Someone else pointed
out
> (quite rightly) that the ICMP packets should not go anywhere near the

> stream4 preprocessor!
> 



--__--__--

Message: 12
Date: Thu, 10 Jan 2002 16:53:05 -0500 (EST)
From: Ashley Thomas <athomas at ...3539...>
To: Matt Jonkman <matt at ...4024...>
cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort Packet Stats

It is slightly out of sync but may i ask you this.


More information about the Snort-users mailing list