[Snort-users] snort-2.8.2.1 and udp alerts

Alex linux at ...14373...
Wed Jun 25 09:48:54 EDT 2008


On Tuesday 24 June 2008 18:40, you wrote:
> Hi
>
> Stream 5 tracking UDP, and alerts being generated by UDP are two
> different things. Stream 5 is a TCP/UDP connection state tracker, if
> you look in your rule files you will see many rules associated with
> the UDP protocol enabled.

oh, thanks for clarification... the rules in /etc/snort/rules... yes... what i 
don't understand is stream5 processor role for TCP/UDP/ICMP and stream5 
settings in snort.conf...

>
> If you are only getting UDP events being raised by Snort, this means
> one of two things.

No, i'm getting alerts on TCP, UDP, ICMP and so on...

> If Snort isn't seeing TCP traffic,

it can see it.

so, what will be the difference regarding alerts or snort behaviour in case 
when i'll enable UDP and ICMP in stream5 processor, like below:

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp yes, track_icmp yes

or what will be if i'll disable stream5 for all like below

preprocessor stream5_global: track_tcp no, \
track_udp no, track_icmp no

And finally, the main question:
- does snort detect/alert broadcast storms (layer 2 and layer 3 broadcast 
storms) using my present rules/settings - i posted here all my snort.conf 
file? If not, how can be snort configured to detect bcast storms in our lan?

Regards,
Alx

>
> On 24 Jun 2008, at 14:45, Alex wrote:
> > hello snort experts,
> >
> > I am using snort-2.8.2.1 compiled with mysql support. Currently,
> > snort it logs
> > and produce UDP alerts even it seems that UDP support is disabled in
> > config
> > file.
> >
> > Starting snort, i can see in terminal:
> > [root at ...14374... ~]# snort -c /etc/snort/snort.conf
> > ...
> > Stream5 global config:
> > Track TCP sessions: ACTIVE
> > Max TCP sessions: 8192
> > Memcap (for reassembly packet storage): 8388608
> > Track UDP sessions: INACTIVE
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Track ICMP sessions: INACTIVE
> > ...
> > Portscan Detection Config:
> > Detect Protocols: TCP UDP ICMP IP
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Detect Scan Type: portscan portsweep decoy_portscan
> > distributed_portscan
> > Sensitivity Level: Low
> > Memcap (in bytes): 10000000
> > ...
> >
> > In snort.conf i can see only 2 lines related to UDP:
> >
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > track_udp no
> >
> > so here, no doubt that UDP is DISABLED
> >
> > and
> >
> > preprocessor sfportscan: proto { all } \
> > memcap { 10000000 } \
> > sense_level { low }
> >
> > If UDP support is disabled in snort.conf, which line match and
> > produce the
> > following UDP alerts? I'm not convinced that preprocessor sfportscan
> > will
> > generate it. Can anybody give me a hint?
> >
> > MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
> > 255.255.255.255:1434 UDP
> >
> > or
> >
> > MISC UPnP malformed advertisement 2008-06-23 16:21:10
> > 169.254.209.225:1900
> > 239.255.255.250:1900 UDP
> >
> > below, comes my entire snort.conf file:
> >
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var DNS_SERVERS $HOME_NET
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS $HOME_NET
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > portvar HTTP_PORTS 80
> > portvar SHELLCODE_PORTS !80
> > portvar ORACLE_PORTS 1521
> > var AIM_SERVERS
> > [64.12.24.0
> > /
> > 23,64.12.28.0
> > /
> > 23,64.12.161.0
> > /
> > 24,64.12.163.0
> > /
> > 24,64.12.200.0
> > /
> > 24,205.188.3.0
> > /
> > 24,205.188.5.0
> > /
> > 24,205.188.7.0
> > /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> > var RULE_PATH /etc/snort/rules
> > var PREPROC_RULE_PATH ../preproc_rules
> > dynamicpreprocessor directory /usr/lib/
> > snort-2.8.2.1_dynamicpreprocessor/
> > dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
> > preprocessor frag3_global: max_frags 65536
> > preprocessor frag3_engine: policy first detect_anomalies
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > track_udp no
> > preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> > preprocessor http_inspect: global \
> > iis_unicode_map unicode.map 1252
> > preprocessor http_inspect_server: server default \
> > profile all ports { 80 8080 8180 } oversize_dir_length 500
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> > preprocessor ftp_telnet: global \
> > encrypted_traffic yes \
> > inspection_type stateful
> > preprocessor ftp_telnet_protocol: telnet \
> > normalize \
> > ayt_attack_thresh 200
> > preprocessor ftp_telnet_protocol: ftp server default \
> > def_max_param_len 100 \
> > alt_max_param_len 200 { CWD } \
> > cmd_validity MODE < char ASBCZ > \
> > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> > telnet_cmds yes \
> > data_chan
> > preprocessor ftp_telnet_protocol: ftp client default \
> > max_resp_len 256 \
> > bounce yes \
> > telnet_cmds yes
> > preprocessor smtp: \
> > ports { 25 587 691 } \
> > inspection_type stateful \
> > normalize cmds \
> > normalize_cmds { EXPN VRFY RCPT } \
> > alt_max_command_line_len 260 { MAIL } \
> > alt_max_command_line_len 300 { RCPT } \
> > alt_max_command_line_len 500 { HELP HELO ETRN } \
> > alt_max_command_line_len 255 { EXPN VRFY }
> > preprocessor sfportscan: proto { all } \
> > memcap { 10000000 } \
> > sense_level { low }
> > preprocessor dcerpc: \
> > autodetect \
> > max_frag_size 3000 \
> > memcap 100000
> > preprocessor dns: \
> > ports { 53 } \
> > enable_rdata_overflow
> > preprocessor ssl: noinspect_encrypted
> > output database: log, mysql, user=snort password=password dbname=snort
> > host=localhost
> > include classification.config
> > include reference.config
> > include $RULE_PATH/local.rules
> > include $RULE_PATH/bad-traffic.rules
> > include $RULE_PATH/exploit.rules
> > include $RULE_PATH/scan.rules
> > include $RULE_PATH/finger.rules
> > include $RULE_PATH/ftp.rules
> > include $RULE_PATH/telnet.rules
> > include $RULE_PATH/rpc.rules
> > include $RULE_PATH/rservices.rules
> > include $RULE_PATH/dos.rules
> > include $RULE_PATH/ddos.rules
> > include $RULE_PATH/dns.rules
> > include $RULE_PATH/tftp.rules
> > include $RULE_PATH/web-cgi.rules
> > include $RULE_PATH/web-coldfusion.rules
> > include $RULE_PATH/web-iis.rules
> > include $RULE_PATH/web-frontpage.rules
> > include $RULE_PATH/web-misc.rules
> > include $RULE_PATH/web-client.rules
> > include $RULE_PATH/web-php.rules
> > include $RULE_PATH/sql.rules
> > include $RULE_PATH/x11.rules
> > include $RULE_PATH/icmp.rules
> > include $RULE_PATH/netbios.rules
> > include $RULE_PATH/misc.rules
> > include $RULE_PATH/attack-responses.rules
> > include $RULE_PATH/oracle.rules
> > include $RULE_PATH/mysql.rules
> > include $RULE_PATH/snmp.rules
> > include $RULE_PATH/smtp.rules
> > include $RULE_PATH/imap.rules
> > include $RULE_PATH/pop2.rules
> > include $RULE_PATH/pop3.rules
> > include $RULE_PATH/nntp.rules
> > include $RULE_PATH/other-ids.rules
> > include $RULE_PATH/experimental.rules
> >
> > Regards,
> > Alx
> >
> > -------------------------------------------------------------------------
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services for
> > just about anything Open Source.
> > http://sourceforge.net/services/buy/index.php
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list