[Snort-users] Snort not seeing all traffic

Todd Wease twease at ...1935...
Thu Feb 12 12:25:29 EST 2009


Hi Jimmy,

Looks like you might be sending traffic from the same box as Snort is
running on and TCP checksum offloading is occurring.  I noticed this
from the stats:

InvChkSum: 627722     (68.997%)

That's alot of invalid checksums.  Try adding "-k none" to your command
line while testing.  This will disable Snort checking checksums.

Todd


Jimmy Tharel wrote:
> Initially I thought I had a problem with a rule that I wrote but it
> appears Snort isn't seeing all of the data coming over the wire.  I
> wrote a simple rule:
>
> alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
> classtype:attempted-dos; sid:2000000; rev:1;)
>
> I sent 50 packets across the wire and Snort only picked up 10 of them
> and alerted.  I had tcpdump running at the same time and it picked up
> all of them.
>
> I'm currently running 2.8.3.2.  It doesn't look like I'm dropping
> packets (especially since tcpdump sees the traffic, and the snort
> output shows very little packet loss), my cpu and memory are not be
> taxed at all.  Currently I only have the one rule enable plus the
> preprocessors. 
>
> Does anybody have any idea what could be happening?  If you need any
> more info I will be happy to share it.
>
> Below are my snort.conf and the output of Snort running for a brief
> period of time when the 50 packets where sent.
>
> Here is my snort.conf:
> var HOME_NET any
> var EXTERNAL_NET any
> var DNS_SERVERS [10.196.4.1,10.196.4.2]
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS
> [10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> portvar HTTP_PORTS 80
> portvar SHELLCODE_PORTS !80
> portvar ORACLE_PORTS 1521
> var AIM_SERVERS
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /etc/snort/rules
> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
>
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>                               track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 \
>     no_alerts
>
> preprocessor rpc_decode: 111 32771
> preprocessor bo
>
> preprocessor ftp_telnet: global \
>    encrypted_traffic yes \
>    inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
>    normalize \
>    ayt_attack_thresh 200
>
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    alt_max_param_len 200 { CWD } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>    telnet_cmds yes \
>    data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
>    max_resp_len 256 \
>    bounce yes \
>    telnet_cmds yes
>
> preprocessor smtp: \
>   ports { 25 587 691 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
>
> preprocessor dcerpc: \
>     autodetect \
>     max_frag_size 3000 \
>     memcap 100000
>
> preprocessor dns: \
>     ports { 53 } \
>     enable_rdata_overflow
>
> preprocessor ssl: noinspect_encrypted
>
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
>
> include classification.config
> include reference.config
>
> include $RULE_PATH/local.rules
>
> include threshold.conf
>
> Here is the output of Snort:
>
> un time prior to being shutdown was 28.595880 seconds
> ===============================================================================
> Packet Wire Totals:
>    Received:       908053
>    Analyzed:       907663 (99.957%)
>     Dropped:          380 (0.042%)
> Outstanding:           10 (0.001%)
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>       ETH: 909784     (100.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 0          (0.000%)
>   IP6 EXT: 0          (0.000%)
>   IP6opts: 0          (0.000%)
>   IP6disc: 0          (0.000%)
>       IP4: 907996     (99.803%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 0          (0.000%)
>   ICMP-IP: 0          (0.000%)
>       TCP: 901746     (99.116%)
>       UDP: 3110       (0.342%)
>      ICMP: 1007       (0.111%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 506        (0.056%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 1294       (0.142%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 627722     (68.997%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 2121       (0.233%)
>     Total: 909784   
> ===============================================================================
> Action Stats:
> ALERTS: 10
> LOGGED: 10
> PASSED: 0
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
> ===============================================================================
> Stream5 statistics:
>             Total sessions: 15463
>               TCP sessions: 15463
>               UDP sessions: 0
>              ICMP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
> TCP StreamTrackers Created: 15463
> TCP StreamTrackers Deleted: 15463
>               TCP Timeouts: 0
>               TCP Overlaps: 1
>        TCP Segments Queued: 8631
>      TCP Segments Released: 8631
>        TCP Rebuilt Packets: 4075
>          TCP Segments Used: 4260
>               TCP Discards: 19042
>       UDP Sessions Created: 0
>       UDP Sessions Deleted: 0
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 0
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                   1042     
>     GET methods:                    1305     
>     Headers extracted:              2342     
>     Header Cookies extracted:       821      
>     Post parameters extracted:      15       
>     Unicode:                        0        
>     Double unicode:                 0        
>     Non-ASCII representable:        171      
>     Base 36:                        0        
>     Directory traversals:           0        
>     Extra slashes ("//"):           26       
>     Self-referencing paths ("./"):  0        
>     Total packets processed:        218047   
> ===============================================================================
> SSL Preprocessor:
>    SSL packets decoded: 1523     
>           Client Hello: 12       
>           Server Hello: 24       
>            Certificate: 1        
>            Server Done: 85       
>    Client Key Exchange: 6        
>    Server Key Exchange: 0        
>          Change Cipher: 108      
>               Finished: 0        
>     Client Application: 30       
>     Server Application: 273      
>                  Alert: 9        
>   Unrecognized records: 1169     
>   Completed handshakes: 2        
>         Bad handshakes: 0        
>       Sessions ignored: 5        
>     Detection disabled: 0        
> ===============================================================================
> Snort exiting
>
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list