[Snort-users] Snort frustration

Joel Esler joel.esler at ...1935...
Fri Jun 2 12:55:43 EDT 2006


(On a side note, thats a great idea, you should publish it on snort.org!!)

Is it possible you could go back into your unified file and generate a pcap?

Joel

Humes, David G. wrote:
> We saw this before using Barnyard, but to answer the question - 
> 
> 1.  After adding or changing rules, I restart barnyard (followed by
> snort) using a script that calls the create-sidmap.pl script supplied
> with barnyard.  
> 
> 2.  create-sidmap.pl drops the updated sig-msg.map file into
> /etc/snort/rules
> 
> 3.  The barnyard.conf file loads the sid-msg.map file from the same
> directory.
> config sid-msg-map:     /etc/snort/rules/sid-msg.map
> 
> So, yes, I am confident that barnyard is reading the correct file.
> 
> --Dave
> 
>> -----Original Message-----
>> From: Joel Esler [mailto:joel.esler at ...1935...] 
>> Sent: Friday, June 02, 2006 12:37 PM
>> To: Humes, David G.
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort frustration
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Are you sure barnyard is reading the properly updated 
>> sig-msg.map file?
>>
>> Joel
>>
>> Humes, David G. wrote:
>>> I added this rule to look for Google Desktop traffic.
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Google 
>>> Desktop User-Agent detected"; flow:established,to_server; 
>> content:"GET 
>>> "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Mozilla/4.0 
>>> (compatible\; Google Desktop)"; nocase; threshold:type limit,track 
>>> by_src, count 1,seconds 300; classtype:policy-violation; 
>> sid:8001018;
>>> rev:1;)
>>>
>>> And it appears to have fired on this packet.
>>>
>>> Generated by BASE v1.2.4 (melissa) on Fri,  2 Jun 2006 
>> 12:14:38 -0400
>>>
>> ----------------------------------------------------------------------
>>> --
>>> ------
>>> #(1 - 3031457) [2006-06-02 11:46:34] [local/8001018] [snort/8001018]
>>> Google Desktop User-Agent detected
>>> IPv4: 192.168.1.100 -> 216.239.39.99
>>>       hlen=5 TOS=0 dlen=83 ID=9124 flags=2 offset=0 TTL=126 
>> chksum=65404
>>> TCP:  port=2181 -> dport: 80  flags=***AP*** seq=395991789
>>>       ack=781565658 off=5 res=0 win=65535 urp=0 chksum=64289
>>> Payload:  length = 43
>>>
>>> 000 : 47 45 54 20 2F 64 73 6E 65 77 73 3F 6A 3D 36 26   GET 
>> /dsnews?j=6&
>>> 010 : 68 6C 3D 65 6E 26 65 64 3D 63 6F 6D 26 76 3D 32   
>> hl=en&ed=com&v=2
>>> 020 : 20 48 54 54 50 2F 31 2E 31 0D 0A                   HTTP/1.1..
>>>
>>> This is a continual frustration, where a rule fires and the payload 
>>> does not match.  Most of the time, the payload does match.  
>> But, it's 
>>> not hard to find instances like the one above.  Can anyone 
>> offer some 
>>> reasons why this may be occurring and what can be done to 
>> correct the 
>>> problem.  Was there some payload that really did match and 
>> it's just 
>>> showing the wrong payload?  Or did the detection engine 
>> just mess up?
>>> We're running Version 2.4.3 (Build 26), but this problem 
>> has been with 
>>> us through two generations of Snort senors and numerous 
>> versions.  We 
>>> use Barnyard and unified logging, but the problem was seen 
>> before we 
>>> implemented Baryard.  Any help would be greatly appreciated.
>>>
>>> -Dave
>>>
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe: 
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive: 
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>> - --
>> +-------------------------------------------------------------
>> --------+
>> Joel Esler  	     Senior Security Consultant 	1-706-627-2101
>> Sourcefire    Security for the /Real/ World -- 
>> http://www.sourcefire.com
>> Snort - Open Source Network IPS/IDS 
>> -- http://www.snort.org
>> GPG Key http://demo.sourcefire.com/jesler.pgp.key
>> +-------------------------------------------------------------
>> --------+
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.3 (Darwin)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFEgGkTKbCSyXHckt4RAqd9AKCB/mUcfnHuO4ld9pixNt6bvNhA/ACfVLoA
>> IIem+mi7P5/SHmGcGheDoKk=
>> =8Eua
>> -----END PGP SIGNATURE-----
>>
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
+---------------------------------------------------------------------+
Joel Esler  	     Senior Security Consultant 	1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-users mailing list