[Snort-users] snort-2.8.2.1 and udp alerts

Alex linux at ...14373...
Wed Jun 25 10:42:01 EDT 2008


> Stream5 sets both stream reassembly policy, and Flow. It enables you to
> do a few things. Stream5 will allow you to reassemble  segmented traffic
> and alert on its content. It will also allow that reassembly to be done
> in a way that fits your environment (bsd, macos etc). A final feature of
> Stream5 is that it enables the ability to alert on flow. So you can
> write rules that use "flow: established, to_server" in your rules. Doing
> so would restrict the rule to only alert on traffic from IP-port pairs
> with an existing connection.
>

So, as i understand from your explanation, is better to set in snort.conf
preprocessor stream5_global: ... track_udp NO, in order to catch ANY UDP 
traffic? I don't understand how to set Stream5 processor even after i read 
README.stream5 to catch and alert excesive broadcasts requests.

I am very interested about broadcast traffic in general (not especially 
related to UDP). In this case, is enough to leave default snort settings 
unchanged or is REQUIRED to add some new rules?

Regards,
Alx

> There are a few more advantages offered by stream5. For more details
> check README.stream5 in the doc directory, or the snort manual.
>
> Regards,
> Keith
>
> >> If you are only getting UDP events being raised by Snort, this means
> >> one of two things.
> >
> > No, i'm getting alerts on TCP, UDP, ICMP and so on...
> >
> >> If Snort isn't seeing TCP traffic,
> >
> > it can see it.
> >
> > so, what will be the difference regarding alerts or snort behaviour in
> > case when i'll enable UDP and ICMP in stream5 processor, like below:
> >
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > track_udp yes, track_icmp yes
> >
> > or what will be if i'll disable stream5 for all like below
> >
> > preprocessor stream5_global: track_tcp no, \
> > track_udp no, track_icmp no
> >
> > And finally, the main question:
> > - does snort detect/alert broadcast storms (layer 2 and layer 3 broadcast
> > storms) using my present rules/settings - i posted here all my snort.conf
> > file? If not, how can be snort configured to detect bcast storms in our
> > lan?
> >
> > Regards,
> > Alx
> >
> >> On 24 Jun 2008, at 14:45, Alex wrote:
> >>> hello snort experts,
> >>>
> >>> I am using snort-2.8.2.1 compiled with mysql support. Currently,
> >>> snort it logs
> >>> and produce UDP alerts even it seems that UDP support is disabled in
> >>> config
> >>> file.
> >>>
> >>> Starting snort, i can see in terminal:
> >>> [root at ...14374... ~]# snort -c /etc/snort/snort.conf
> >>> ...
> >>> Stream5 global config:
> >>> Track TCP sessions: ACTIVE
> >>> Max TCP sessions: 8192
> >>> Memcap (for reassembly packet storage): 8388608
> >>> Track UDP sessions: INACTIVE
> >>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>> Track ICMP sessions: INACTIVE
> >>> ...
> >>> Portscan Detection Config:
> >>> Detect Protocols: TCP UDP ICMP IP
> >>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>> Detect Scan Type: portscan portsweep decoy_portscan
> >>> distributed_portscan
> >>> Sensitivity Level: Low
> >>> Memcap (in bytes): 10000000
> >>> ...
> >>>
> >>> In snort.conf i can see only 2 lines related to UDP:
> >>>
> >>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >>> track_udp no
> >>>
> >>> so here, no doubt that UDP is DISABLED
> >>>
> >>> and
> >>>
> >>> preprocessor sfportscan: proto { all } \
> >>> memcap { 10000000 } \
> >>> sense_level { low }
> >>>
> >>> If UDP support is disabled in snort.conf, which line match and
> >>> produce the
> >>> following UDP alerts? I'm not convinced that preprocessor sfportscan
> >>> will
> >>> generate it. Can anybody give me a hint?
> >>>
> >>> MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
> >>> 255.255.255.255:1434 UDP
> >>>
> >>> or
> >>>
> >>> MISC UPnP malformed advertisement 2008-06-23 16:21:10
> >>> 169.254.209.225:1900
> >>> 239.255.255.250:1900 UDP
> >>>
> >>> below, comes my entire snort.conf file:
> >>>
> >>> var HOME_NET any
> >>> var EXTERNAL_NET any
> >>> var DNS_SERVERS $HOME_NET
> >>> var SMTP_SERVERS $HOME_NET
> >>> var HTTP_SERVERS $HOME_NET
> >>> var SQL_SERVERS $HOME_NET
> >>> var TELNET_SERVERS $HOME_NET
> >>> var SNMP_SERVERS $HOME_NET
> >>> portvar HTTP_PORTS 80
> >>> portvar SHELLCODE_PORTS !80
> >>> portvar ORACLE_PORTS 1521
> >>> var AIM_SERVERS
> >>> [64.12.24.0
> >>> /
> >>> 23,64.12.28.0
> >>> /
> >>> 23,64.12.161.0
> >>> /
> >>> 24,64.12.163.0
> >>> /
> >>> 24,64.12.200.0
> >>> /
> >>> 24,205.188.3.0
> >>> /
> >>> 24,205.188.5.0
> >>> /
> >>> 24,205.188.7.0
> >>> /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> >>> var RULE_PATH /etc/snort/rules
> >>> var PREPROC_RULE_PATH ../preproc_rules
> >>> dynamicpreprocessor directory /usr/lib/
> >>> snort-2.8.2.1_dynamicpreprocessor/
> >>> dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
> >>> preprocessor frag3_global: max_frags 65536
> >>> preprocessor frag3_engine: policy first detect_anomalies
> >>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >>> track_udp no
> >>> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> >>> preprocessor http_inspect: global \
> >>> iis_unicode_map unicode.map 1252
> >>> preprocessor http_inspect_server: server default \
> >>> profile all ports { 80 8080 8180 } oversize_dir_length 500
> >>> preprocessor rpc_decode: 111 32771
> >>> preprocessor bo
> >>> preprocessor ftp_telnet: global \
> >>> encrypted_traffic yes \
> >>> inspection_type stateful
> >>> preprocessor ftp_telnet_protocol: telnet \
> >>> normalize \
> >>> ayt_attack_thresh 200
> >>> preprocessor ftp_telnet_protocol: ftp server default \
> >>> def_max_param_len 100 \
> >>> alt_max_param_len 200 { CWD } \
> >>> cmd_validity MODE < char ASBCZ > \
> >>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> >>> telnet_cmds yes \
> >>> data_chan
> >>> preprocessor ftp_telnet_protocol: ftp client default \
> >>> max_resp_len 256 \
> >>> bounce yes \
> >>> telnet_cmds yes
> >>> preprocessor smtp: \
> >>> ports { 25 587 691 } \
> >>> inspection_type stateful \
> >>> normalize cmds \
> >>> normalize_cmds { EXPN VRFY RCPT } \
> >>> alt_max_command_line_len 260 { MAIL } \
> >>> alt_max_command_line_len 300 { RCPT } \
> >>> alt_max_command_line_len 500 { HELP HELO ETRN } \
> >>> alt_max_command_line_len 255 { EXPN VRFY }
> >>> preprocessor sfportscan: proto { all } \
> >>> memcap { 10000000 } \
> >>> sense_level { low }
> >>> preprocessor dcerpc: \
> >>> autodetect \
> >>> max_frag_size 3000 \
> >>> memcap 100000
> >>> preprocessor dns: \
> >>> ports { 53 } \
> >>> enable_rdata_overflow
> >>> preprocessor ssl: noinspect_encrypted
> >>> output database: log, mysql, user=snort password=password dbname=snort
> >>> host=localhost
> >>> include classification.config
> >>> include reference.config
> >>> include $RULE_PATH/local.rules
> >>> include $RULE_PATH/bad-traffic.rules
> >>> include $RULE_PATH/exploit.rules
> >>> include $RULE_PATH/scan.rules
> >>> include $RULE_PATH/finger.rules
> >>> include $RULE_PATH/ftp.rules
> >>> include $RULE_PATH/telnet.rules
> >>> include $RULE_PATH/rpc.rules
> >>> include $RULE_PATH/rservices.rules
> >>> include $RULE_PATH/dos.rules
> >>> include $RULE_PATH/ddos.rules
> >>> include $RULE_PATH/dns.rules
> >>> include $RULE_PATH/tftp.rules
> >>> include $RULE_PATH/web-cgi.rules
> >>> include $RULE_PATH/web-coldfusion.rules
> >>> include $RULE_PATH/web-iis.rules
> >>> include $RULE_PATH/web-frontpage.rules
> >>> include $RULE_PATH/web-misc.rules
> >>> include $RULE_PATH/web-client.rules
> >>> include $RULE_PATH/web-php.rules
> >>> include $RULE_PATH/sql.rules
> >>> include $RULE_PATH/x11.rules
> >>> include $RULE_PATH/icmp.rules
> >>> include $RULE_PATH/netbios.rules
> >>> include $RULE_PATH/misc.rules
> >>> include $RULE_PATH/attack-responses.rules
> >>> include $RULE_PATH/oracle.rules
> >>> include $RULE_PATH/mysql.rules
> >>> include $RULE_PATH/snmp.rules
> >>> include $RULE_PATH/smtp.rules
> >>> include $RULE_PATH/imap.rules
> >>> include $RULE_PATH/pop2.rules
> >>> include $RULE_PATH/pop3.rules
> >>> include $RULE_PATH/nntp.rules
> >>> include $RULE_PATH/other-ids.rules
> >>> include $RULE_PATH/experimental.rules
> >>>
> >>> Regards,
> >>> Alx
> >>>
> >>> -----------------------------------------------------------------------
> >>>-- Check out the new SourceForge.net Marketplace.
> >>> It's the best place to buy or sell services for
> >>> just about anything Open Source.
> >>> http://sourceforge.net/services/buy/index.php
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > -------------------------------------------------------------------------
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services for
> > just about anything Open Source.
> > http://sourceforge.net/services/buy/index.php
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list