[Snort-users] Snort not seeing all traffic

Jack Pepper pepperjack at ...14319...
Thu Feb 12 12:27:11 EST 2009


Looks like you're dropping packets.  funny thing about dropping  
packets: there's no way to know which packets were dropped.  Your  
sample looked at about a million packets in less than 30 seconds.


jp

Quoting Jimmy Tharel <jtharel at ...131...>:

> Initially I thought I had a problem with a rule that I wrote but it  
> appears Snort isn't seeing all of the data coming over the wire.  I  
> wrote a simple rule:
>
> alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";  
> classtype:attempted-dos; sid:2000000; rev:1;)
>
> I sent 50 packets across the wire and Snort only picked up 10 of  
> them and alerted.  I had tcpdump running at the same time and it  
> picked up all of them.
>
> I'm currently running 2.8.3.2.  It doesn't look like I'm dropping  
> packets (especially since tcpdump sees the traffic, and the snort  
> output shows very little packet loss), my cpu and memory are not be  
> taxed at all.  Currently I only have the one rule enable plus the  
> preprocessors.
>
> Does anybody have any idea what could be happening?  If you need any  
> more info I will be happy to share it.
>
> Below are my snort.conf and the output of Snort running for a brief  
> period of time when the 50 packets where sent.
>
> Here is my snort.conf:
> var HOME_NET any
> var EXTERNAL_NET any
> var DNS_SERVERS [10.196.4.1,10.196.4.2]
> var SMTP_SERVERS $HOME_NET
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS  
> [10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
> var TELNET_SERVERS $HOME_NET
> var SNMP_SERVERS $HOME_NET
> portvar HTTP_PORTS 80
> portvar SHELLCODE_PORTS !80
> portvar ORACLE_PORTS 1521
> var AIM_SERVERS  
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> var RULE_PATH /etc/snort/rules
> var PREPROC_RULE_PATH /etc/snort/preproc_rules
>
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
>
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>                               track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 \
>     no_alerts
>
> preprocessor rpc_decode: 111 32771
> preprocessor bo
>
> preprocessor ftp_telnet: global \
>    encrypted_traffic yes \
>    inspection_type stateful
>
> preprocessor ftp_telnet_protocol: telnet \
>    normalize \
>    ayt_attack_thresh 200
>
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    alt_max_param_len 200 { CWD } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>    telnet_cmds yes \
>    data_chan
>
> preprocessor ftp_telnet_protocol: ftp client default \
>    max_resp_len 256 \
>    bounce yes \
>    telnet_cmds yes
>
> preprocessor smtp: \
>   ports { 25 587 691 } \
>   inspection_type stateful \
>   normalize cmds \
>   normalize_cmds { EXPN VRFY RCPT } \
>   alt_max_command_line_len 260 { MAIL } \
>   alt_max_command_line_len 300 { RCPT } \
>   alt_max_command_line_len 500 { HELP HELO ETRN } \
>   alt_max_command_line_len 255 { EXPN VRFY }
>
> preprocessor dcerpc: \
>     autodetect \
>     max_frag_size 3000 \
>     memcap 100000
>
> preprocessor dns: \
>     ports { 53 } \
>     enable_rdata_overflow
>
> preprocessor ssl: noinspect_encrypted
>
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
>
> include classification.config
> include reference.config
>
> include $RULE_PATH/local.rules
>
> include threshold.conf
>
> Here is the output of Snort:
>
> un time prior to being shutdown was 28.595880 seconds
> ===============================================================================
> Packet Wire Totals:
>    Received:       908053
>    Analyzed:       907663 (99.957%)
>     Dropped:          380 (0.042%)
> Outstanding:           10 (0.001%)
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>       ETH: 909784     (100.000%)
>   ETHdisc: 0          (0.000%)
>      VLAN: 0          (0.000%)
>      IPV6: 0          (0.000%)
>   IP6 EXT: 0          (0.000%)
>   IP6opts: 0          (0.000%)
>   IP6disc: 0          (0.000%)
>       IP4: 907996     (99.803%)
>   IP4disc: 0          (0.000%)
>     TCP 6: 0          (0.000%)
>     UDP 6: 0          (0.000%)
>     ICMP6: 0          (0.000%)
>   ICMP-IP: 0          (0.000%)
>       TCP: 901746     (99.116%)
>       UDP: 3110       (0.342%)
>      ICMP: 1007       (0.111%)
>   TCPdisc: 0          (0.000%)
>   UDPdisc: 0          (0.000%)
>   ICMPdis: 0          (0.000%)
>      FRAG: 0          (0.000%)
>    FRAG 6: 0          (0.000%)
>       ARP: 506        (0.056%)
>     EAPOL: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>     OTHER: 1294       (0.142%)
>   DISCARD: 0          (0.000%)
> InvChkSum: 627722     (68.997%)
>    S5 G 1: 0          (0.000%)
>    S5 G 2: 2121       (0.233%)
>     Total: 909784
> ===============================================================================
> Action Stats:
> ALERTS: 10
> LOGGED: 10
> PASSED: 0
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 0
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>      FragTrackers Added: 0
>     FragTrackers Dumped: 0
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 0
>      Frag Nodes Deleted: 0
> ===============================================================================
> Stream5 statistics:
>             Total sessions: 15463
>               TCP sessions: 15463
>               UDP sessions: 0
>              ICMP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
> TCP StreamTrackers Created: 15463
> TCP StreamTrackers Deleted: 15463
>               TCP Timeouts: 0
>               TCP Overlaps: 1
>        TCP Segments Queued: 8631
>      TCP Segments Released: 8631
>        TCP Rebuilt Packets: 4075
>          TCP Segments Used: 4260
>               TCP Discards: 19042
>       UDP Sessions Created: 0
>       UDP Sessions Deleted: 0
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 0
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                   1042
>     GET methods:                    1305
>     Headers extracted:              2342
>     Header Cookies extracted:       821
>     Post parameters extracted:      15
>     Unicode:                        0
>     Double unicode:                 0
>     Non-ASCII representable:        171
>     Base 36:                        0
>     Directory traversals:           0
>     Extra slashes ("//"):           26
>     Self-referencing paths ("./"):  0
>     Total packets processed:        218047
> ===============================================================================
> SSL Preprocessor:
>    SSL packets decoded: 1523
>           Client Hello: 12
>           Server Hello: 24
>            Certificate: 1
>            Server Done: 85
>    Client Key Exchange: 6
>    Server Key Exchange: 0
>          Change Cipher: 108
>               Finished: 0
>     Client Application: 30
>     Server Application: 273
>                  Alert: 9
>   Unrecognized records: 1169
>   Completed handshakes: 2
>         Bad handshakes: 0
>       Sessions ignored: 5
>     Detection disabled: 0
> ===============================================================================
> Snort exiting
>
>
>

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list