[Snort-users] snort-2.8.2.1 and udp alerts

Keith keith at ...1935...
Wed Jun 25 10:26:09 EDT 2008


inline

Alex wrote:
> On Tuesday 24 June 2008 18:40, you wrote:
>> Hi
>>
>> Stream 5 tracking UDP, and alerts being generated by UDP are two
>> different things. Stream 5 is a TCP/UDP connection state tracker, if
>> you look in your rule files you will see many rules associated with
>> the UDP protocol enabled.
> 
> oh, thanks for clarification... the rules in /etc/snort/rules... yes... what i 
> don't understand is stream5 processor role for TCP/UDP/ICMP and stream5 
> settings in snort.conf...

Stream5 sets both stream reassembly policy, and Flow. It enables you to 
do a few things. Stream5 will allow you to reassemble  segmented traffic 
and alert on its content. It will also allow that reassembly to be done 
in a way that fits your environment (bsd, macos etc). A final feature of 
Stream5 is that it enables the ability to alert on flow. So you can 
write rules that use "flow: established, to_server" in your rules. Doing 
so would restrict the rule to only alert on traffic from IP-port pairs 
with an existing connection.

There are a few more advantages offered by stream5. For more details 
check README.stream5 in the doc directory, or the snort manual.

Regards,
Keith

> 
>> If you are only getting UDP events being raised by Snort, this means
>> one of two things.
> 
> No, i'm getting alerts on TCP, UDP, ICMP and so on...
> 
>> If Snort isn't seeing TCP traffic,
> 
> it can see it.
> 
> so, what will be the difference regarding alerts or snort behaviour in case 
> when i'll enable UDP and ICMP in stream5 processor, like below:
> 
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> track_udp yes, track_icmp yes
> 
> or what will be if i'll disable stream5 for all like below
> 
> preprocessor stream5_global: track_tcp no, \
> track_udp no, track_icmp no
> 
> And finally, the main question:
> - does snort detect/alert broadcast storms (layer 2 and layer 3 broadcast 
> storms) using my present rules/settings - i posted here all my snort.conf 
> file? If not, how can be snort configured to detect bcast storms in our lan?
> 
> Regards,
> Alx
> 
>> On 24 Jun 2008, at 14:45, Alex wrote:
>>> hello snort experts,
>>>
>>> I am using snort-2.8.2.1 compiled with mysql support. Currently,
>>> snort it logs
>>> and produce UDP alerts even it seems that UDP support is disabled in
>>> config
>>> file.
>>>
>>> Starting snort, i can see in terminal:
>>> [root at ...14374... ~]# snort -c /etc/snort/snort.conf
>>> ...
>>> Stream5 global config:
>>> Track TCP sessions: ACTIVE
>>> Max TCP sessions: 8192
>>> Memcap (for reassembly packet storage): 8388608
>>> Track UDP sessions: INACTIVE
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> Track ICMP sessions: INACTIVE
>>> ...
>>> Portscan Detection Config:
>>> Detect Protocols: TCP UDP ICMP IP
>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> Detect Scan Type: portscan portsweep decoy_portscan
>>> distributed_portscan
>>> Sensitivity Level: Low
>>> Memcap (in bytes): 10000000
>>> ...
>>>
>>> In snort.conf i can see only 2 lines related to UDP:
>>>
>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>> track_udp no
>>>
>>> so here, no doubt that UDP is DISABLED
>>>
>>> and
>>>
>>> preprocessor sfportscan: proto { all } \
>>> memcap { 10000000 } \
>>> sense_level { low }
>>>
>>> If UDP support is disabled in snort.conf, which line match and
>>> produce the
>>> following UDP alerts? I'm not convinced that preprocessor sfportscan
>>> will
>>> generate it. Can anybody give me a hint?
>>>
>>> MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
>>> 255.255.255.255:1434 UDP
>>>
>>> or
>>>
>>> MISC UPnP malformed advertisement 2008-06-23 16:21:10
>>> 169.254.209.225:1900
>>> 239.255.255.250:1900 UDP
>>>
>>> below, comes my entire snort.conf file:
>>>
>>> var HOME_NET any
>>> var EXTERNAL_NET any
>>> var DNS_SERVERS $HOME_NET
>>> var SMTP_SERVERS $HOME_NET
>>> var HTTP_SERVERS $HOME_NET
>>> var SQL_SERVERS $HOME_NET
>>> var TELNET_SERVERS $HOME_NET
>>> var SNMP_SERVERS $HOME_NET
>>> portvar HTTP_PORTS 80
>>> portvar SHELLCODE_PORTS !80
>>> portvar ORACLE_PORTS 1521
>>> var AIM_SERVERS
>>> [64.12.24.0
>>> /
>>> 23,64.12.28.0
>>> /
>>> 23,64.12.161.0
>>> /
>>> 24,64.12.163.0
>>> /
>>> 24,64.12.200.0
>>> /
>>> 24,205.188.3.0
>>> /
>>> 24,205.188.5.0
>>> /
>>> 24,205.188.7.0
>>> /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>> var RULE_PATH /etc/snort/rules
>>> var PREPROC_RULE_PATH ../preproc_rules
>>> dynamicpreprocessor directory /usr/lib/
>>> snort-2.8.2.1_dynamicpreprocessor/
>>> dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
>>> preprocessor frag3_global: max_frags 65536
>>> preprocessor frag3_engine: policy first detect_anomalies
>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>> track_udp no
>>> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>>> preprocessor http_inspect: global \
>>> iis_unicode_map unicode.map 1252
>>> preprocessor http_inspect_server: server default \
>>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>> preprocessor rpc_decode: 111 32771
>>> preprocessor bo
>>> preprocessor ftp_telnet: global \
>>> encrypted_traffic yes \
>>> inspection_type stateful
>>> preprocessor ftp_telnet_protocol: telnet \
>>> normalize \
>>> ayt_attack_thresh 200
>>> preprocessor ftp_telnet_protocol: ftp server default \
>>> def_max_param_len 100 \
>>> alt_max_param_len 200 { CWD } \
>>> cmd_validity MODE < char ASBCZ > \
>>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>>> telnet_cmds yes \
>>> data_chan
>>> preprocessor ftp_telnet_protocol: ftp client default \
>>> max_resp_len 256 \
>>> bounce yes \
>>> telnet_cmds yes
>>> preprocessor smtp: \
>>> ports { 25 587 691 } \
>>> inspection_type stateful \
>>> normalize cmds \
>>> normalize_cmds { EXPN VRFY RCPT } \
>>> alt_max_command_line_len 260 { MAIL } \
>>> alt_max_command_line_len 300 { RCPT } \
>>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>>> alt_max_command_line_len 255 { EXPN VRFY }
>>> preprocessor sfportscan: proto { all } \
>>> memcap { 10000000 } \
>>> sense_level { low }
>>> preprocessor dcerpc: \
>>> autodetect \
>>> max_frag_size 3000 \
>>> memcap 100000
>>> preprocessor dns: \
>>> ports { 53 } \
>>> enable_rdata_overflow
>>> preprocessor ssl: noinspect_encrypted
>>> output database: log, mysql, user=snort password=password dbname=snort
>>> host=localhost
>>> include classification.config
>>> include reference.config
>>> include $RULE_PATH/local.rules
>>> include $RULE_PATH/bad-traffic.rules
>>> include $RULE_PATH/exploit.rules
>>> include $RULE_PATH/scan.rules
>>> include $RULE_PATH/finger.rules
>>> include $RULE_PATH/ftp.rules
>>> include $RULE_PATH/telnet.rules
>>> include $RULE_PATH/rpc.rules
>>> include $RULE_PATH/rservices.rules
>>> include $RULE_PATH/dos.rules
>>> include $RULE_PATH/ddos.rules
>>> include $RULE_PATH/dns.rules
>>> include $RULE_PATH/tftp.rules
>>> include $RULE_PATH/web-cgi.rules
>>> include $RULE_PATH/web-coldfusion.rules
>>> include $RULE_PATH/web-iis.rules
>>> include $RULE_PATH/web-frontpage.rules
>>> include $RULE_PATH/web-misc.rules
>>> include $RULE_PATH/web-client.rules
>>> include $RULE_PATH/web-php.rules
>>> include $RULE_PATH/sql.rules
>>> include $RULE_PATH/x11.rules
>>> include $RULE_PATH/icmp.rules
>>> include $RULE_PATH/netbios.rules
>>> include $RULE_PATH/misc.rules
>>> include $RULE_PATH/attack-responses.rules
>>> include $RULE_PATH/oracle.rules
>>> include $RULE_PATH/mysql.rules
>>> include $RULE_PATH/snmp.rules
>>> include $RULE_PATH/smtp.rules
>>> include $RULE_PATH/imap.rules
>>> include $RULE_PATH/pop2.rules
>>> include $RULE_PATH/pop3.rules
>>> include $RULE_PATH/nntp.rules
>>> include $RULE_PATH/other-ids.rules
>>> include $RULE_PATH/experimental.rules
>>>
>>> Regards,
>>> Alx
>>>
>>> -------------------------------------------------------------------------
>>> Check out the new SourceForge.net Marketplace.
>>> It's the best place to buy or sell services for
>>> just about anything Open Source.
>>> http://sourceforge.net/services/buy/index.php
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list