[Snort-users] snort-2.8.2.1 and udp alerts

Leon Ward seclists at ...14165...
Tue Jun 24 11:40:52 EDT 2008


Hi

Stream 5 tracking UDP, and alerts being generated by UDP are two  
different things. Stream 5 is a TCP/UDP connection state tracker, if  
you look in your rule files you will see many rules associated with  
the UDP protocol enabled.

If you are only getting UDP events being raised by Snort, this means  
one of two things.

	1) People are doing bad/interesting stuff only with UDP and not with  
TCP
	2) The device you are sniffing with is not being presented with a  
complete traffic profile.

2 is the most likely. Take a look at the destination of the UDP  
events, are they broadcast traffic?
Have you seen anything unicast? (excluding maybe to the interface  
you're sniffing on).

Take a look at the output when snort quits (or send it a SIGUSR1  
signal). It will show a breakdown of stats, for example:

-snip-
Jun 24 06:36:40 rancid snort[15311]:       ETH: 32058      (100.000%)
-snip-
Jun 24 06:36:40 rancid snort[15311]:       IP4: 30552      (95.302%)
-snip-
Jun 24 06:36:40 rancid snort[15311]:       TCP: 27039      (84.344%)
Jun 24 06:36:40 rancid snort[15311]:       UDP: 3233       (10.085%)
Jun 24 06:36:40 rancid snort[15311]:      ICMP: 66         (0.206%)
-snip-
Jun 24 06:36:40 rancid snort[15311]:       ARP: 1506       (4.698%)
-snip-
Jun 24 06:36:40 rancid snort[15311]:     Total: 32058

If Snort isn't seeing TCP traffic, it will be obvious here.

-Leon


On 24 Jun 2008, at 14:45, Alex wrote:

> hello snort experts,
>
> I am using snort-2.8.2.1 compiled with mysql support. Currently,  
> snort it logs
> and produce UDP alerts even it seems that UDP support is disabled in  
> config
> file.
>
> Starting snort, i can see in terminal:
> [root at ...14374... ~]# snort -c /etc/snort/snort.conf
> ...
> Stream5 global config:
> Track TCP sessions: ACTIVE
> Max TCP sessions: 8192
> Memcap (for reassembly packet storage): 8388608
> Track UDP sessions: INACTIVE
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Track ICMP sessions: INACTIVE
> ...
> Portscan Detection Config:
> Detect Protocols: TCP UDP ICMP IP
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Detect Scan Type: portscan portsweep decoy_portscan  
> distributed_portscan
> Sensitivity Level: Low
> Memcap (in bytes): 10000000
> ...
>
> In snort.conf i can see only 2 lines related to UDP:
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> track_udp no
>
> so here, no doubt that UDP is DISABLED
>
> and
>
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
>
> If UDP support is disabled in snort.conf, which line match and  
> produce the
> following UDP alerts? I'm not convinced that preprocessor sfportscan  
> will
> generate it. Can anybody give me a hint?
>
> MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
> 255.255.255.255:1434 UDP
>
> or
>
> MISC UPnP malformed advertisement 2008-06-23 16:21:10  
> 169.254.209.225:1900
> 239.255.255.250:1900 UDP
>
> below, comes my entire snort.conf file:
>
> var HOME_NET any
> var EXTERNAL_NET any
> var DNS_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> portvar HTTP_PORTS 80
> portvar SHELLCODE_PORTS !80
> portvar ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0 
> / 
> 23,64.12.28.0 
> / 
> 23,64.12.161.0 
> / 
> 24,64.12.163.0 
> / 
> 24,64.12.200.0 
> / 
> 24,205.188.3.0 
> / 
> 24,205.188.5.0 
> / 
> 24,205.188.7.0 
> /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /etc/snort/rules
> var PREPROC_RULE_PATH ../preproc_rules
> dynamicpreprocessor directory /usr/lib/ 
> snort-2.8.2.1_dynamicpreprocessor/
> dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor ftp_telnet: global \
> encrypted_traffic yes \
> inspection_type stateful
> preprocessor ftp_telnet_protocol: telnet \
> normalize \
> ayt_attack_thresh 200
> preprocessor ftp_telnet_protocol: ftp server default \
> def_max_param_len 100 \
> alt_max_param_len 200 { CWD } \
> cmd_validity MODE < char ASBCZ > \
> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> telnet_cmds yes \
> data_chan
> preprocessor ftp_telnet_protocol: ftp client default \
> max_resp_len 256 \
> bounce yes \
> telnet_cmds yes
> preprocessor smtp: \
> ports { 25 587 691 } \
> inspection_type stateful \
> normalize cmds \
> normalize_cmds { EXPN VRFY RCPT } \
> alt_max_command_line_len 260 { MAIL } \
> alt_max_command_line_len 300 { RCPT } \
> alt_max_command_line_len 500 { HELP HELO ETRN } \
> alt_max_command_line_len 255 { EXPN VRFY }
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
> preprocessor dcerpc: \
> autodetect \
> max_frag_size 3000 \
> memcap 100000
> preprocessor dns: \
> ports { 53 } \
> enable_rdata_overflow
> preprocessor ssl: noinspect_encrypted
> output database: log, mysql, user=snort password=password dbname=snort
> host=localhost
> include classification.config
> include reference.config
> include $RULE_PATH/local.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/experimental.rules
>
> Regards,
> Alx
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list