[Snort-users] RE: Snort-users digest, Vol 1 #4212 - 5 msgs

Jason Biggin Jason_Biggin at ...11766...
Fri May 7 08:27:11 EDT 2004




-----Original Message-----
From:	snort-users-admin at lists.sourceforge.net on behalf of snort-users-request at lists.sourceforge.net
Sent:	Thu 5/6/2004 8:07 PM
To:	snort-users at lists.sourceforge.net
Cc:	
Subject:	Snort-users digest, Vol 1 #4212 - 5 msgs
Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: snort dropping 48% (Frank Knobbe)
   2. RE: snort dropping 48% (Lyons, Jon)
   3. Re: snort dropping 48% (sgt_b)
   4. Problem detecting MS-SQL sa login failures? (Anton Christian)
   5. Re: Problem detecting MS-SQL sa login failures? (Brian)

--__--__--

Message: 1
Subject: RE: [Snort-users] snort dropping 48%
From: Frank Knobbe <frank at ...9761...>
To: "Sheahan, Paul" <Paul.Sheahan at ...2218...>
Cc: snort-users at lists.sourceforge.net
Date: Thu, 06 May 2004 16:36:08 -0500


--=-vGjgm5c9r4czHb74qH9B
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2004-05-06 at 16:04, Sheahan, Paul wrote:
> Funny how this rules file and startup script worked perfectly on Snort
> 1.9 on 100mb Ethernet and a low end server, and I was using all the
> other default rules too. Odd. I've always loved Snort but now it has
> become completely useless.=20

Mumpitz. You can always run the older version again.

The problem is finding out if it's the old hardware or software. You
should be able to determine that quickly by running your old Snort 1.9
setup on the new box. Also, run the new Snort set up on a different box.
There is always the chance that your Gigabit card doesn't work well
together with your system board, perhaps interrupt contention (dunno if
Linux has a DEVICEPOLLING option like BSD does). Moreover, try a
different NIC, and finally change the system.

Feel free to also try running a different OS. FreeBSD seems to perform
well with Intel Gigabit NICs.

Regards,
Frank


--=-vGjgm5c9r4czHb74qH9B
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBAmq/HJjGc5ftAw8wRAmS6AKC9Hg5K8zb84vbOrL1aGj+C7sBU3gCgon1n
sDkRd9xR2Iqaa2rr0zfi3Uw=
=XSWo
-----END PGP SIGNATURE-----

--=-vGjgm5c9r4czHb74qH9B--



--__--__--

Message: 2
Subject: RE: [Snort-users] snort dropping 48%
Date: Thu, 6 May 2004 16:39:03 -0500
From: "Lyons, Jon" <Jon_Lyons at ...11066...>
To: "Sheahan, Paul" <Paul.Sheahan at ...2218...>,
	"sgt_b" <sgt_b at ...11733...>,
	<snort-users at lists.sourceforge.net>

I saw the same issue when I tried to update to a faster box(p4 desktop
machine), and new release of FreeBSD. I didn't spend much time on it,
ended up just moving the hard drive to an older system(P3), so I don't
believe it's a snort/os issue, but a hardware issue.=20



-----Original Message-----
From: Sheahan, Paul [mailto:Paul.Sheahan at ...2218...]=20
Sent: Thursday, May 06, 2004 4:04 PM
To: sgt_b; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] snort dropping 48%


Thanks again, your tips were very helpful. You are right; I disabled a
lot of stuff just for testing purposes. I plan to put everything back in
once I figure out the packet loss issue. Couple of things I've done:

1) I just upgraded to the new libpcap released yesterday and rebooted
for fun
2) Moved -N to the end of my startup script.

Still 49% packet loss using only one rule file with about 400
content-type rules. Also Snort STILL creates individual directories for
each address it encounters. So many directories get created in reaches
the Linux limit after a while and crashes Snort. I suppose Snort could
be so busy with this that it may be contributing to the packet loss?

Funny how this rules file and startup script worked perfectly on Snort
1.9 on 100mb Ethernet and a low end server, and I was using all the
other default rules too. Odd. I've always loved Snort but now it has
become completely useless.=20

Note that I don't have much packet loss at all when I take out my
content rules and put in the default rule files. The content rules are
the issue, but it is still a mystery why old hardware and Snort version
worked.

Thanks for the help.
Paul

-----Original Message-----
From: sgt_b [mailto:sgt_b at ...11733...]=20
Sent: Thursday, May 06, 2004 4:15 PM
To: Sheahan, Paul
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort dropping 48%

Well looks like you've got snort all tuned up for speed! By utilizing=20
the -N switch you're not doing any logging at all so the -b and -L=20
switches are confusing. If the -N switch comes before the -b and -l=20
switches then snort WILL log packets. If the -N switch comes AFTER the=20
-b and -l switches snort will NOT logs packets. Just thought I'd clear=20
that up.
Also the -k none switch exposes you to some NIDS evasion techniques. An=20
attacker could inject seemingly valid packets with bad checksums. With=20
-k none, snort will see bad packets as part of a valid stream while the=20
remote system you're protecting will drop these packets. This could lead

to snort becoming "desynchronized", and thus miss packets or streams it=20
should be alerting on.

Now, all that being said, I'm sure you turned these on due to the packet

loss issue you're having. From the looks of things, you really shouldn't

be seeing many dropped packets. That's an opinion coming from someone=20
who has never used snort on a gigabit network mind you. ;).

Keep in mind that even if you do get packet loss down to a minimum, are=20
the sacrifices you're making worth it? By not implementing checksum=20
verification, and by not utilizing the stream4 preprocessor you're=20
exposing your IDS to some of the most basic NIDS evasion techniques.=20
Without packet logging, and only using "fast" alert methods, you may get

very limited information from your IDS in the event of an alert.

As stated previously I have really no experience implementing snort on a

gigabit network, so take what I say with a grain of salt. It may have=20
something to do with all the content rules...I'm really not sure=20
(disabling them for testing would help verify if this is the issue).
Even though this reply doesn't help solve the problem, maybe it helps a=20
little.

sgt_b
Sheahan, Paul wrote:

>Thanks for the feedback. Yes, I use -b in my startup script. I have
>tried many different options in the script, or in the config file. Here
>is what I normally run to start Snort:
>
>/usr/local/bin/snort -A fast -c /etc/snort/custom.conf -i eth2 -l
>/var/log/custom -k none -o -N -b -L traces
>
>Used to work fine with my custom content rules until I switched to
>Gigabit and a higher end server.
>
>Thanks!
>Paul
>
>P.S. My bare-bones snort config is below in my original message as
well.
>
>
>-----Original Message-----
>From: sgt_b [mailto:sgt_b at ...11733...]=20
>Sent: Thursday, May 06, 2004 3:20 PM
>To: Sheahan, Paul
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] snort dropping 48%
>
>Hi Paul,
>
>I'm sure you've already tried this, but I want to make sure I cover all

>bases. :)
>How are you logging? If its to the console (-v), I can easily see near=20
>50% of packets being dropped on an gigabit network. Have you tried
using
>
>-b? It logs files in binary, and is much faster. I'd recommend you try=20
>that. If you've already tried the various logging methods, but got the=20
>same results, let us know so we can try and troubleshoot this issue. It

>would also be helpful if you show us how you're running snort (all the=20
>flags).
>
>sgt_b
>
>Sheahan, Paul wrote:
>
> =20
>
>>I still don't have an answer either. 49% of packets being dropped is
>>absolutely ridiculous.
>>
>>I recently ran TOP to check memory while Snort was running my
>>content-based rules and noticed that even though I had 1 gig of ram in
>>my server, there was almost no free memory. So I upgraded to 4 gig of
>>RAM figuring Snort just needed more RAM, but the same problem is still
>>occurring, 49% of packets are still being dropped.
>>
>>Should I take a look at libpcap? I understand there are multiple
>>versions. What version should I be running?
>>
>>Thanks
>>
>>
>>-----Original Message-----
>>From: snort user [mailto:snortuser at ...125...]=20
>>Sent: Wednesday, May 05, 2004 1:42 PM
>>To: Sheahan, Paul
>>Subject: RE: [Snort-users] snort dropping 48%
>>
>>Im actually getting the same problem on a Debian machine. When the
>>traffic=20
>>exceeds 100Mb/s snort really starts dropping packets fast. If I remove

>>content based rules then dropped apckets significantly drop. I never
>>   =20
>>
>saw
> =20
>
>>a=20
>>reply other than it could be a RedHat problem so I was wondering if
>>anyone=20
>>else had any ideas since I am not on RedHat.
>>
>>
>>=20
>>
>>   =20
>>
>>>From: "Sheahan, Paul" <Paul.Sheahan at ...2218...>
>>>To: <snort-users at lists.sourceforge.net>
>>>Subject: [Snort-users] snort dropping 48%
>>>Date: Wed, 28 Apr 2004 13:46:55 -0400
>>>
>>>Can anyone give me a tip in this situation?
>>>
>>>
>>>
>>>I used to have a Snort 1.9 sensor running on RHLinux7 on a 100mb
>>>Ethernet network. On that sensor I ran the most of the default rules
>>>plus my own custom rule file, which contained a lot of content-based
>>>rules. It handled it no problem and didn't drop any packets.
>>>
>>>
>>>
>>>Now I've upgraded to a big beefy server, gig Ethernet, RH Linux 8.0
>>>     =20
>>>
>and
> =20
>
>>>Snort 2.0.5 using the same Snort config as above. Traffic levels are
>>>  =20
>>>
>>>     =20
>>>
>>the
>>=20
>>
>>   =20
>>
>>>same. Now I noticed it was dropping half of the traffic! My custom
>>>content rules are extremely important to me, so I performed a test. I
>>>created this bare bones snort.conf which basically disables all
>>>  =20
>>>
>>>     =20
>>>
>>standard
>>=20
>>
>>   =20
>>
>>>rules and extra preprocessors:
>>>
>>>
>>>
>>>var HOME_NET [10.10.0.0/16]
>>>
>>>var EXTERNAL_NET !$HOME_NET
>>>
>>>preprocessor frag2
>>>
>>>preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
>>>iis_flip_slash full_whitespace
>>>
>>>include classification.config
>>>
>>>include reference.config
>>>
>>>include /etc/snort/my.rules
>>>
>>>include /etc/snort/pass.rules
>>>
>>>
>>>
>>>Then I started Snort and let it capture traffic for a while. I
stopped
>>>Snort and it is STILL dropping 48% of the traffic! My "my.rules" file
>>>contains a few hundred content-based rules. What gives? Can Snort no
>>>longer handle content-based rules? Or am I missing something here?
>>>
>>>
>>>
>>>Thanks,
>>>
>>>Paul
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>  =20
>>>
>>>     =20
>>>
>>_________________________________________________________________
>>Mother's Day is May 9. Make it special with great ideas from the
>>Mother's=20
>>Day Guide! http://special.msn.com/network/04mothersday.armx
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by Sleepycat Software
>>Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to=20
>>deliver higher performing products faster, at low TCO.
>>http://www.sleepycat.com/telcomwpreg.php?From=3Ddnemail3
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
>>
>>
>>
>>=20
>>
>>   =20
>>
>
>
>
>
> =20
>



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to=20
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=3Ddnemail3
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dort-users


--__--__--

Message: 3
Date: Thu, 06 May 2004 17:45:08 -0500
From: sgt_b <sgt_b at ...11733...>
To: "Sheahan, Paul" <Paul.Sheahan at ...2218...>
CC:  snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort dropping 48%

Sheahan, Paul wrote:

>Also Snort STILL creates individual directories for
>each address it encounters. So many directories get created in reaches
>the Linux limit after a while and crashes Snort. I suppose Snort could
>be so busy with this that it may be contributing to the packet loss?
>
If you specify the -N switch it should not do any packet logging. I just 
tested this with `snort -d -l ./ -N -c /usr/local/etc/snort.conf'. It 
generates the alert file , but not any packet logs, sounds like you 
might not be using the -N switch properly (or the -N switch needs to be 
in a certain spot?). I could see how default packet logging could easily 
kill a server that runs on gigabit though.
While this may contribute to it, it doesn't sound like the root of your 
problem though as you've previously tried logging binary format.

Sheahan, Paul wrote:

> The content rules are the issue, but it is still a mystery why old 
> hardware and Snort version worked.

The real difference here is a amount of traffic snort needs to analyze. 
Gigabit ethernet is a 10x faster than standard. Thats a lot of packets!
What we really need is a response from someone who effectively runs 
snort on a gigabit network. Can snort run "out of the box" on a gigabit 
network efficiently (given decent hardware of course) or does it need to 
be tweaked to prevent major packet loss?

As for your current situation Paul, would it be feasible to share the 
load between multiple sensors? Each sensor containing 100 of your custom 
rules? That might work to get every packet on the wire without having to 
sacrifice some of snort's features for speed.
Just an idea. :)

sgt_b


--__--__--

Message: 4
Date: Thu, 6 May 2004 15:54:20 -0700 (PDT)
From: Anton Christian <anton_christian at ...131...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Problem detecting MS-SQL sa login failures?

As a test, an outsider ran an "sa" password cracking program against our MS-SQL
server.

Our RealSecure Network Sensor (v7) successfully detected and reported the
attacks as "SQL_Auth_Failed" events.

Alas, our Snort 2.1.1 sensor apparently did not detect this attack.  I was
expecting to see "MS-SQL sa login failed" alerts in the log but none were
generated.  The rule is enabled:

alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed";
content: "Login failed for user |27|sa|27|"; flow:from_server,established;
classtype:unsuccessful-user; sid:688; rev:4;)

$SQL_SERVERS includes our SQL server.

Our Snort sensor monitors the same external segment as the RealSecure box, and
mostly, the alerts from the two boxes correlate.



	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 


--__--__--

Message: 5
Date: Thu, 6 May 2004 22:29:57 -0400
From: Brian <bmc at ...950...>
To: Anton Christian <anton_christian at ...131...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Problem detecting MS-SQL sa login failures?

On Thu, May 06, 2004 at 03:54:20PM -0700, Anton Christian wrote:
> As a test, an outsider ran an "sa" password cracking program against
> our MS-SQL server.

Can you send pcap?

Brian



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 11057 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040507/116cc1ea/attachment.bin>


More information about the Snort-users mailing list