[Snort-users] data from multiple sessions in one alert/packet

nikns nikns at ...13802...
Wed May 17 14:54:02 EDT 2006


I had identical issue. You are probably dropping packets.

Short answer is:
"There is a config parameter in Stream4 to help address that.
On the stream4_reassemble line, add "zero_flushed_packets".
This will cause Stream4 to zero out the memory of the
rebuilt packet before copying in the new data.  So, when
packets are missing from the middle of the rebuilt packet,
you'll get 0x00 in those bytes, rather than whatever was
there from the previous rebuild." <c> Steven


nikns


On Wed, May 17, 2006 at 05:26:21PM -0400, Jon Hart wrote:
>Hello,
>
>The weird behavior I'm seeing is what appears to be multiple HTTP
>requests (sometimes the src<->dest is the same, others not) in the same
>alert.  
>
>Someone in #snort asked if I was behind a proxy server and, yes, the
>bulk of our inbound traffic is handled by Akamai.  I can't find and
>specific examples, but I swear I saw alerts where some of the traffic
>came from Akamai and others did not.
>
>Whats is even weirder is, today, I saw and alert that contained portions
>of two distinct conversations, but one was headed inbound and the other
>was headed outbound.  Aside from the general weirdness of this, I had
>just recently switched my $HOME_NET to 'any'.
>
>This is snort 2.4.4, running Red Hat Enterprise Linux ES release
>4 (Nahant Update 1) with kernel 2.6.9-11.ELsmp (not my choice).  My
>config is more or less stock:
>
>var HOME_NET any
>var EXTERNAL_NET any
>var DNS_SERVERS $HOME_NET
>var SMTP_SERVERS $HOME_NET
>var HTTP_SERVERS $HOME_NET
>var SQL_SERVERS $HOME_NET
>var TELNET_SERVERS $HOME_NET
>var SNMP_SERVERS $HOME_NET
>var HTTP_PORTS 80
>var SHELLCODE_PORTS !80
>var ORACLE_PORTS 1521
>var SSH_PORTS 22
>var AIM_SERVERS
>[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>var RULE_PATH ./rules
>config disable_decode_alerts
>config disable_tcpopt_experimental_alerts
>preprocessor flow: stats_interval 0 hash 2
>preprocessor frag3_global: max_frags 65536
>preprocessor frag3_engine: policy first detect_anomalies
>preprocessor stream4: disable_evasion_alerts
>preprocessor stream4_reassemble
>preprocessor http_inspect: global \
>   iis_unicode_map unicode.map 1252 
>preprocessor http_inspect_server: server default \
>   profile all ports { 80 8080 8180 } oversize_dir_length 500 \
>   no_alerts
>preprocessor rpc_decode: 111 32771
>preprocessor bo
>preprocessor telnet_decode
>preprocessor xlink2state: ports { 25 691 }
>output database: log, mysql, user=snort \
>   password=ffffff dbname=snort host=localhost sensor_name=edge
>
>
>And snort is started as follows:
>
>snort -u snort -g snort -i bond0 -c /usr/local/stow/snort/etc/snort.conf
>-D -eyo
>
>(I have a pass rule to filter out a particularly false-positive prone
>URL, hence the -o)
>
>Any ideas?
>
>-jon
>
>
>-------------------------------------------------------
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job easier
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list