[Snort-users] Snort frustration

Humes, David G. David.Humes at ...383...
Wed Jun 7 17:44:05 EDT 2006


I think I understand what's happening here and wish I had read the
tagged packet thread.  I created a pcap from the unified log file that
contained data from an alert who's content appeared to be incomplete and
incapable of triggering the rule.  What I found was that Snort had
logged two packets to the unified log  file.  As I undertand it now,
that second packet would have been logged as a tagged packet.  We have
been accumulating a significant number of tagged packet alerts, and not
realizing that some are the result of stream4 reassembly and the unified
output plugin, many have been deleted in order to maintain the database
size at a reasonable level.  So, Snort and Barnyard were working just
fine.  And it was just our process that was removing the missing payload
data.  

Now the problem is how to manage the tagged packets.  It's clear now
that we don't want to do unqualified deletes of tagged packet alerts.
But, they need to be cleaned up somehow.  Ideally, they would be deleted
when the corresponding alert is deleted.  Is this being considered by
the BASE folks?

Joel, thanks for your help.

--Dave

> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net 
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf 
> Of Paul Schmehl
> Sent: Friday, June 02, 2006 3:23 PM
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort frustration
> 
> 
> Humes, David G. wrote:
> > I added this rule to look for Google Desktop traffic.
> > 
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Google 
> > Desktop User-Agent detected"; flow:established,to_server; 
> content:"GET 
> > "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Mozilla/4.0 
> > (compatible\; Google Desktop)"; nocase; threshold:type limit,track 
> > by_src, count 1,seconds 300; classtype:policy-violation; 
> sid:8001018;
> > rev:1;)
> > 
> > And it appears to have fired on this packet.
> > 
> > Generated by BASE v1.2.4 (melissa) on Fri,  2 Jun 2006 
> 12:14:38 -0400
> > 
> > 
> ----------------------------------------------------------------------
> > --
> > ------
> > #(1 - 3031457) [2006-06-02 11:46:34] [local/8001018] [snort/8001018]
> > Google Desktop User-Agent detected
> > IPv4: 192.168.1.100 -> 216.239.39.99
> 
> dig -x 216.239.39.99
> 
> ; <<>> DiG 9.3.1 <<>> -x 216.239.39.99
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10374
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;99.39.239.216.in-addr.arpa.    IN      PTR
> 
> ;; AUTHORITY SECTION:
> 39.239.216.in-addr.arpa. 60     IN      SOA     ns1.google.com. 
> dns-admin.google.com. 2004031201 21600 3600 1038800 60
> 
> whois 216.239.39.99
> 
> OrgName:    Google Inc.
> OrgID:      GOGL
> Address:    1600 Amphitheatre Parkway
> City:       Mountain View
> StateProv:  CA
> PostalCode: 94043
> Country:    US
> 
> NetRange:   216.239.32.0 - 216.239.63.255
> CIDR:       216.239.32.0/19
> NetName:    GOOGLE
> 
> That's a Google-owned address.  I'm betting it's Google Desktop.
> 
> >       hlen=5 TOS=0 dlen=83 ID=9124 flags=2 offset=0 TTL=126 
> > chksum=65404
> > TCP:  port=2181 -> dport: 80  flags=***AP*** seq=395991789
> >       ack=781565658 off=5 res=0 win=65535 urp=0 chksum=64289
> > Payload:  length = 43
> > 
> > 000 : 47 45 54 20 2F 64 73 6E 65 77 73 3F 6A 3D 36 26   GET 
> /dsnews?j=6&
> > 010 : 68 6C 3D 65 6E 26 65 64 3D 63 6F 6D 26 76 3D 32   
> hl=en&ed=com&v=2
> > 020 : 20 48 54 54 50 2F 31 2E 31 0D 0A                   HTTP/1.1..
> 
> What's on line 030, 040, etc.?  Do you have a pcap?  It looks 
> like your 
> rule is doing exactly what you would expect it to do, but you're not 
> capturing (or at least seeing in BASE) the remainder of the 
> packet.  The 
> UserAgent info follows the GET *and* the HTTP/1.1, so it's 
> further down 
> in the packet.
> 
> -- 
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas http://www.utdallas.edu/ir/security/
> 




More information about the Snort-users mailing list