[Snort-users] Alert payloads not matching alert rules

Joel Esler joel.esler at ...1935...
Wed Nov 22 14:14:52 EST 2006


Are you dropping any packets?  It seems that with 3 processes of Snort, on the same box, with only 2 Gigs of RAM trying to analyze that much traffic, you are probably dropping packets in addition to Snort overwriting its own memory.

J


On Wed, Nov 22, 2006 at 07:54:34PM +0100, it looks like spagno_f at ...12... sent me:
> Hello,
> 
> The machine is a dual Opteron with 2GB of RAM. It runs 3 instances of snort. Each snort process sends logs to a specific log directory. Each snort process has its barnyard process processing its logs/alerts to the mysql DB. Each snort process listens on its own interface. Each interface is attached to the SPAN port of a gigabit switch.
> 
> Fabien
> 
> Joel Esler:
> > How much RAM do you have in your machine?
> > 
> > Joel
> > 
> > 
> > On Tue, Nov 21, 2006 at 06:48:22PM +0100, it looks like spagno_f at ...12... sent me:
> > > Hello,
> > > 
> > > We encounter a strange problem with snort 2.6.0, Barnyard, BASE, all compiled from source files. 
> > > 
> > > We have alerts which do not match the alert rules generating the alert. Actually, by looking at the payload, we cannot find content we should see. It seems several people already complained about this problem before, without any real answer (http://marc.theaimsgroup.com/?l=snort-users&m=112505975311791&w=2)
> > > 
> > > Here is an example below. 
> > > We have this rule generating alerts we see in BASE :
> > > 
> > > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP";
> > > content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128;
> > > reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:4;)
> > > 
> > > Alert generated by this rule, in BASE :
> > > 
> > > #(6 - 56146) [2006-09-29 15:27:22] [arachnids/181] [local/648] [snort/:648]
> > > SHELLCODE x86 NOOP
> > > IPv4: 172.16.5.27 -> 172.16.5.12
> > >       hlen=5 TOS=0 dlen=155 ID=59197 flags=2 offset=0 TTL=128 chksum=45271
> > > TCP:  port=3563 -> dport: 1521  flags=***AP*** seq=831827579
> > >       ack=2816413717 off=5 res=0 win=16370 urp=0 chksum=12348
> > > Payload:  length = 115
> > > 
> > > 000 : 00 73 00 00 06 00 00 00 00 00 03 5E 98 20 80 00   .s.........^. ..
> > > 010 : 00 06 00 00 00 00 00 00 00 00 01 0C 00 00 00 00   ................
> > > 020 : 01 00 00 00 00 E8 03 00 00 00 00 00 00 00 00 00   ................
> > > 030 : 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00   ................
> > > 040 : 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> > > 050 : 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00   ................
> > > 060 : 00 00 00 00 00 00 00 00 00 00 00 00 07 05 C4 05   ................
> > > 070 : 31 0B 07                                          1..
> > > 
> > > As you can see there is no '90' bytes, as we should see in the payload. 
> > > 
> > > This not the only rule with this problem. Others have the same problem too (sometimes eevn preprocessors like http_inspect too).
> > > 
> > > While looking at the ASCII dump.log file generated by barnyard I have also came accross a similar exemple (below). For this alert, we should see a "user" somewhere in the payload, but we don't :
> > > 
> > > 
> > > [**] [1:2650:2] ORACLE user name buffer overflow attempt [**]
> > > [Classification: Attempted User Privilege Gain] [Priority: 1]
> > > [Xref => http://www.appsecinc.com/Policy/PolicyCheck62.html]
> > > Event ID: 62662     Event Reference: 62662
> > > 11/21/06-17:16:04.892127 172.16.0.136:34833 -> 172.16.5.12:1521
> > > TCP TTL:64 TOS:0x0 ID:32755 IpLen:20 DgmLen:100 DF
> > > ***AP*** Seq: 0xB700F908  Ack: 0xF1594793  Win: 0x3309  TcpLen: 32
> > > TCP Options (3) => NOP NOP TS: 2796076485 835448929 
> > > 00 30 00 00 06 00 00 00 00 00 03 68 FB 01 00 00  .0.........h....
> > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> > > 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 01  ................ 
> > > 
> > > With this problem Snort becomes almost unusable since, when we try to analyse an alert to see if this is a false positive or not, we cannot have the correct payload which generated the alert. We don't know if this is a Snort or a Barnyard problem. Unfortunately, for now, I was not able to do a tcpdump of one of these packets.
> > > 
> > > Have you noticed the same behavior ?
> > > 
> > > What could be the cause of the problem ? What solution to apply ?
> > > 
> > > Thank you for your help 
> > > 
> > > 
> > > ________________________________________________________________________
> > > iFRANCE, exprimez-vous !
> > > http://web.ifrance.com
> > 
> > > -------------------------------------------------------------------------
> > > Take Surveys. Earn Cash. Influence the Future of IT
> > > Join SourceForge.net's Techsay panel and you'll get the chance to share your
> > > opinions on IT & business topics through brief surveys - and earn cash
> > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > +---------------------------------------------------------------------+
> > joel esler          senior security consultant         1-706-627-2101
> > Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
> >        Snort - Open Source Network IPS/IDS -- http://www.snort.org
> >          gpg key: http://demo.sourcefire.com/jesler.pgp.key
> > +---------------------------------------------------------------------+
> > 
> 
> 
> ________________________________________________________________________
> iFRANCE, exprimez-vous !
> http://web.ifrance.com

> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

+---------------------------------------------------------------------+
joel esler          senior security consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-users mailing list