[Snort-users] snort-2.8.2.1 and udp alerts

Keith keith at ...1935...
Wed Jun 25 11:02:21 EDT 2008


inline

Alex wrote:
>> Stream5 sets both stream reassembly policy, and Flow. It enables you to
>> do a few things. Stream5 will allow you to reassemble  segmented traffic
>> and alert on its content. It will also allow that reassembly to be done
>> in a way that fits your environment (bsd, macos etc). A final feature of
>> Stream5 is that it enables the ability to alert on flow. So you can
>> write rules that use "flow: established, to_server" in your rules. Doing
>> so would restrict the rule to only alert on traffic from IP-port pairs
>> with an existing connection.
>>
> 
> So, as i understand from your explanation, is better to set in snort.conf
> preprocessor stream5_global: ... track_udp NO, in order to catch ANY UDP 
> traffic? I don't understand how to set Stream5 processor even after i read 
> README.stream5 to catch and alert excesive broadcasts requests.

No Stream5 does not override non flow rules, it just enables another set 
of "targeted rules". So without track_udp yes, Snort would only alert on
rules that target udp without "flow: established" in the rule. With it 
Snort would alert on the regular rules that target udp, as well as ones 
that had "flow: established" and targeted udp.

> 
> I am very interested about broadcast traffic in general (not especially 
> related to UDP). In this case, is enough to leave default snort settings 
> unchanged or is REQUIRED to add some new rules?
> 
> Regards,
> Alx
> 
>> There are a few more advantages offered by stream5. For more details
>> check README.stream5 in the doc directory, or the snort manual.
>>
>> Regards,
>> Keith
>>
>>>> If you are only getting UDP events being raised by Snort, this means
>>>> one of two things.
>>> No, i'm getting alerts on TCP, UDP, ICMP and so on...
>>>
>>>> If Snort isn't seeing TCP traffic,
>>> it can see it.
>>>
>>> so, what will be the difference regarding alerts or snort behaviour in
>>> case when i'll enable UDP and ICMP in stream5 processor, like below:
>>>
>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>> track_udp yes, track_icmp yes
>>>
>>> or what will be if i'll disable stream5 for all like below
>>>
>>> preprocessor stream5_global: track_tcp no, \
>>> track_udp no, track_icmp no
>>>
>>> And finally, the main question:
>>> - does snort detect/alert broadcast storms (layer 2 and layer 3 broadcast
>>> storms) using my present rules/settings - i posted here all my snort.conf
>>> file? If not, how can be snort configured to detect bcast storms in our
>>> lan?
>>>
>>> Regards,
>>> Alx
>>>
>>>> On 24 Jun 2008, at 14:45, Alex wrote:
>>>>> hello snort experts,
>>>>>
>>>>> I am using snort-2.8.2.1 compiled with mysql support. Currently,
>>>>> snort it logs
>>>>> and produce UDP alerts even it seems that UDP support is disabled in
>>>>> config
>>>>> file.
>>>>>
>>>>> Starting snort, i can see in terminal:
>>>>> [root at ...14374... ~]# snort -c /etc/snort/snort.conf
>>>>> ...
>>>>> Stream5 global config:
>>>>> Track TCP sessions: ACTIVE
>>>>> Max TCP sessions: 8192
>>>>> Memcap (for reassembly packet storage): 8388608
>>>>> Track UDP sessions: INACTIVE
>>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>> Track ICMP sessions: INACTIVE
>>>>> ...
>>>>> Portscan Detection Config:
>>>>> Detect Protocols: TCP UDP ICMP IP
>>>>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>>> Detect Scan Type: portscan portsweep decoy_portscan
>>>>> distributed_portscan
>>>>> Sensitivity Level: Low
>>>>> Memcap (in bytes): 10000000
>>>>> ...
>>>>>
>>>>> In snort.conf i can see only 2 lines related to UDP:
>>>>>
>>>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>>>> track_udp no
>>>>>
>>>>> so here, no doubt that UDP is DISABLED
>>>>>
>>>>> and
>>>>>
>>>>> preprocessor sfportscan: proto { all } \
>>>>> memcap { 10000000 } \
>>>>> sense_level { low }
>>>>>
>>>>> If UDP support is disabled in snort.conf, which line match and
>>>>> produce the
>>>>> following UDP alerts? I'm not convinced that preprocessor sfportscan
>>>>> will
>>>>> generate it. Can anybody give me a hint?
>>>>>
>>>>> MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
>>>>> 255.255.255.255:1434 UDP
>>>>>
>>>>> or
>>>>>
>>>>> MISC UPnP malformed advertisement 2008-06-23 16:21:10
>>>>> 169.254.209.225:1900
>>>>> 239.255.255.250:1900 UDP
>>>>>
>>>>> below, comes my entire snort.conf file:
>>>>>
>>>>> var HOME_NET any
>>>>> var EXTERNAL_NET any
>>>>> var DNS_SERVERS $HOME_NET
>>>>> var SMTP_SERVERS $HOME_NET
>>>>> var HTTP_SERVERS $HOME_NET
>>>>> var SQL_SERVERS $HOME_NET
>>>>> var TELNET_SERVERS $HOME_NET
>>>>> var SNMP_SERVERS $HOME_NET
>>>>> portvar HTTP_PORTS 80
>>>>> portvar SHELLCODE_PORTS !80
>>>>> portvar ORACLE_PORTS 1521
>>>>> var AIM_SERVERS
>>>>> [64.12.24.0
>>>>> /
>>>>> 23,64.12.28.0
>>>>> /
>>>>> 23,64.12.161.0
>>>>> /
>>>>> 24,64.12.163.0
>>>>> /
>>>>> 24,64.12.200.0
>>>>> /
>>>>> 24,205.188.3.0
>>>>> /
>>>>> 24,205.188.5.0
>>>>> /
>>>>> 24,205.188.7.0
>>>>> /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>>>>> var RULE_PATH /etc/snort/rules
>>>>> var PREPROC_RULE_PATH ../preproc_rules
>>>>> dynamicpreprocessor directory /usr/lib/
>>>>> snort-2.8.2.1_dynamicpreprocessor/
>>>>> dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
>>>>> preprocessor frag3_global: max_frags 65536
>>>>> preprocessor frag3_engine: policy first detect_anomalies
>>>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>>>>> track_udp no
>>>>> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>>>>> preprocessor http_inspect: global \
>>>>> iis_unicode_map unicode.map 1252
>>>>> preprocessor http_inspect_server: server default \
>>>>> profile all ports { 80 8080 8180 } oversize_dir_length 500
>>>>> preprocessor rpc_decode: 111 32771
>>>>> preprocessor bo
>>>>> preprocessor ftp_telnet: global \
>>>>> encrypted_traffic yes \
>>>>> inspection_type stateful
>>>>> preprocessor ftp_telnet_protocol: telnet \
>>>>> normalize \
>>>>> ayt_attack_thresh 200
>>>>> preprocessor ftp_telnet_protocol: ftp server default \
>>>>> def_max_param_len 100 \
>>>>> alt_max_param_len 200 { CWD } \
>>>>> cmd_validity MODE < char ASBCZ > \
>>>>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>>>>> chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>>>>> telnet_cmds yes \
>>>>> data_chan
>>>>> preprocessor ftp_telnet_protocol: ftp client default \
>>>>> max_resp_len 256 \
>>>>> bounce yes \
>>>>> telnet_cmds yes
>>>>> preprocessor smtp: \
>>>>> ports { 25 587 691 } \
>>>>> inspection_type stateful \
>>>>> normalize cmds \
>>>>> normalize_cmds { EXPN VRFY RCPT } \
>>>>> alt_max_command_line_len 260 { MAIL } \
>>>>> alt_max_command_line_len 300 { RCPT } \
>>>>> alt_max_command_line_len 500 { HELP HELO ETRN } \
>>>>> alt_max_command_line_len 255 { EXPN VRFY }
>>>>> preprocessor sfportscan: proto { all } \
>>>>> memcap { 10000000 } \
>>>>> sense_level { low }
>>>>> preprocessor dcerpc: \
>>>>> autodetect \
>>>>> max_frag_size 3000 \
>>>>> memcap 100000
>>>>> preprocessor dns: \
>>>>> ports { 53 } \
>>>>> enable_rdata_overflow
>>>>> preprocessor ssl: noinspect_encrypted
>>>>> output database: log, mysql, user=snort password=password dbname=snort
>>>>> host=localhost
>>>>> include classification.config
>>>>> include reference.config
>>>>> include $RULE_PATH/local.rules
>>>>> include $RULE_PATH/bad-traffic.rules
>>>>> include $RULE_PATH/exploit.rules
>>>>> include $RULE_PATH/scan.rules
>>>>> include $RULE_PATH/finger.rules
>>>>> include $RULE_PATH/ftp.rules
>>>>> include $RULE_PATH/telnet.rules
>>>>> include $RULE_PATH/rpc.rules
>>>>> include $RULE_PATH/rservices.rules
>>>>> include $RULE_PATH/dos.rules
>>>>> include $RULE_PATH/ddos.rules
>>>>> include $RULE_PATH/dns.rules
>>>>> include $RULE_PATH/tftp.rules
>>>>> include $RULE_PATH/web-cgi.rules
>>>>> include $RULE_PATH/web-coldfusion.rules
>>>>> include $RULE_PATH/web-iis.rules
>>>>> include $RULE_PATH/web-frontpage.rules
>>>>> include $RULE_PATH/web-misc.rules
>>>>> include $RULE_PATH/web-client.rules
>>>>> include $RULE_PATH/web-php.rules
>>>>> include $RULE_PATH/sql.rules
>>>>> include $RULE_PATH/x11.rules
>>>>> include $RULE_PATH/icmp.rules
>>>>> include $RULE_PATH/netbios.rules
>>>>> include $RULE_PATH/misc.rules
>>>>> include $RULE_PATH/attack-responses.rules
>>>>> include $RULE_PATH/oracle.rules
>>>>> include $RULE_PATH/mysql.rules
>>>>> include $RULE_PATH/snmp.rules
>>>>> include $RULE_PATH/smtp.rules
>>>>> include $RULE_PATH/imap.rules
>>>>> include $RULE_PATH/pop2.rules
>>>>> include $RULE_PATH/pop3.rules
>>>>> include $RULE_PATH/nntp.rules
>>>>> include $RULE_PATH/other-ids.rules
>>>>> include $RULE_PATH/experimental.rules
>>>>>
>>>>> Regards,
>>>>> Alx
>>>>>
>>>>> -----------------------------------------------------------------------
>>>>> -- Check out the new SourceForge.net Marketplace.
>>>>> It's the best place to buy or sell services for
>>>>> just about anything Open Source.
>>>>> http://sourceforge.net/services/buy/index.php
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> -------------------------------------------------------------------------
>>> Check out the new SourceForge.net Marketplace.
>>> It's the best place to buy or sell services for
>>> just about anything Open Source.
>>> http://sourceforge.net/services/buy/index.php
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list