[Snort-users] Snort not seeing all traffic

Joel Esler eslerj at ...11827...
Thu Feb 12 12:21:02 EST 2009


Jimmy, it's hard for us to troubleshoot was is going on if Snort, did
indeed drop packets.  We can't rule out with 100% certainty that Snort
isn't seeing the traffic, if in fact, it's dropping packets.

Can you capture a pcap of the traffic, run Snort against the pcap?
That way we can rule out dropped packets?

Joel

It's obviously seeing the traffic, as you are getting alerts.

On Thu, Feb 12, 2009 at 11:54 AM, Jimmy Tharel <jtharel at ...131...> wrote:
> Initially I thought I had a problem with a rule that I wrote but it appears
> Snort isn't seeing all of the data coming over the wire.  I wrote a simple
> rule:
>
> alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
> classtype:attempted-dos; sid:2000000; rev:1;)
>
> I sent 50 packets across the wire and Snort only picked up 10 of them and
> alerted.  I had tcpdump running at the same time and it picked up all of
> them.
>
> I'm currently running 2.8.3.2.  It doesn't look like I'm dropping packets
> (especially since tcpdump sees the traffic, and the snort output shows very
> little packet loss), my cpu and memory are not be taxed at all.  Currently I
> only have the one rule enable plus the preprocessors.
>
> Does anybody have any idea what could be happening?  If you need any more
> info I will be happy to share it.
>
> Below are my snort.conf and the output of Snort running for a brief period
> of time when the 50 packets where sent.
>
> Here is my snort.conf:
> var HOME_NET any
> var EXTERNAL_NET any
> var DNS_SERVERS [10.196.4.1,10.196.4.2]
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS
> [10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> portvar HTTP_PORTS 80
> portvar SHELLCODE_PORTS !80
> portvar ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /etc/snort/rules
> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
>
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>                               track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 \
>     no_alerts
>
> preprocessor rpc_decode: 111 32771
> preprocessor bo
>
> preprocessor ftp_telnet: global \
>    encrypted_traffic yes \
>    inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
>    normalize \
>    ayt_attack_thresh 200
>
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    alt_max_param_len 200 { CWD } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>    telnet_cmds yes \
>    data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
>    max_resp_len 256 \
>    bounce yes \
>    telnet_cmds yes
>
> preprocessor smtp: \
>   ports { 25 587 691 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
>
> preprocessor dcerpc: \
>     autodetect \
>     max_frag_size 3000 \
>     memcap 100000
>
> preprocessor dns: \
>     ports { 53 } \
>     enable_rdata_overflow
>
> preprocessor ssl: noinspect_encrypted
>
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
>
> include classification.config
> include reference.config
>
> include $RULE_PATH/local.rules
>
> include threshold.conf
>
> Here is the output of Snort:
>
> un time prior to being shutdown was 28.595880 seconds
> ===============================================================================
> Packet Wire Totals:
>    Received:       908053
>    Analyzed:       907663 (99.957%)
>     Dropped:          380 (0.042%)
> Outstanding:           10 (0.001%)
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>       ETH: 909784     (100.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 0          (0.000%)
>   IP6 EXT: 0          (0.000%)
>   IP6opts: 0          (0.000%)
>   IP6disc: 0          (0.000%)
>       IP4: 907996     (99.803%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 0          (0.000%)
>   ICMP-IP: 0          (0.000%)
>       TCP: 901746     (99.116%)
>       UDP: 3110       (0.342%)
>      ICMP: 1007       (0.111%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 506        (0.056%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 1294       (0.142%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 627722     (68.997%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 2121       (0.233%)
>     Total: 909784
> ===============================================================================
> Action Stats:
> ALERTS: 10
> LOGGED: 10
> PASSED: 0
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
> ===============================================================================
> Stream5 statistics:
>             Total sessions: 15463
>               TCP sessions: 15463
>               UDP sessions: 0
>              ICMP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
> TCP StreamTrackers Created: 15463
> TCP StreamTrackers Deleted: 15463
>               TCP Timeouts: 0
>               TCP Overlaps: 1
>        TCP Segments Queued: 8631
>      TCP Segments Released: 8631
>        TCP Rebuilt Packets: 4075
>          TCP Segments Used: 4260
>               TCP Discards: 19042
>       UDP Sessions Created: 0
>       UDP Sessions Deleted: 0
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 0
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                   1042
>     GET methods:                    1305
>     Headers extracted:              2342
>     Header Cookies extracted:       821
>     Post parameters extracted:      15
>     Unicode:                        0
>     Double unicode:                 0
>     Non-ASCII representable:        171
>     Base 36:                        0
>     Directory traversals:           0
>     Extra slashes ("//"):           26
>     Self-referencing paths ("./"):  0
>     Total packets processed:        218047
> ===============================================================================
> SSL Preprocessor:
>    SSL packets decoded: 1523
>           Client Hello: 12
>           Server Hello: 24
>            Certificate: 1
>            Server Done: 85
>    Client Key Exchange: 6
>    Server Key Exchange: 0
>          Change Cipher: 108
>               Finished: 0
>     Client Application: 30
>     Server Application: 273
>                  Alert: 9
>   Unrecognized records: 1169
>   Completed handshakes: 2
>         Bad handshakes: 0
>       Sessions ignored: 5
>     Detection disabled: 0
> ===============================================================================
> Snort exiting




-- 
Joel Esler
http://www.joelesler.net




More information about the Snort-users mailing list