[Snort-users] data from multiple sessions in one alert/packet

Jon Hart jhart at ...8039...
Wed May 17 14:27:02 EDT 2006


Hello,

The weird behavior I'm seeing is what appears to be multiple HTTP
requests (sometimes the src<->dest is the same, others not) in the same
alert.  

Someone in #snort asked if I was behind a proxy server and, yes, the
bulk of our inbound traffic is handled by Akamai.  I can't find and
specific examples, but I swear I saw alerts where some of the traffic
came from Akamai and others did not.

Whats is even weirder is, today, I saw and alert that contained portions
of two distinct conversations, but one was headed inbound and the other
was headed outbound.  Aside from the general weirdness of this, I had
just recently switched my $HOME_NET to 'any'.

This is snort 2.4.4, running Red Hat Enterprise Linux ES release
4 (Nahant Update 1) with kernel 2.6.9-11.ELsmp (not my choice).  My
config is more or less stock:

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH ./rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
   iis_unicode_map unicode.map 1252 
preprocessor http_inspect_server: server default \
   profile all ports { 80 8080 8180 } oversize_dir_length 500 \
   no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor xlink2state: ports { 25 691 }
output database: log, mysql, user=snort \
   password=ffffff dbname=snort host=localhost sensor_name=edge


And snort is started as follows:

snort -u snort -g snort -i bond0 -c /usr/local/stow/snort/etc/snort.conf
-D -eyo

(I have a pass rule to filter out a particularly false-positive prone
URL, hence the -o)

Any ideas?

-jon




More information about the Snort-users mailing list