[Snort-users] Snort-users Digest, Vol 33, Issue 10

Todd Wease twease at ...1935...
Thu Feb 12 17:32:05 EST 2009


I'd run Wireshark and take a look at the traffic to try and find out
where all of the traffic with the bad checksums is coming from.


Jimmy Tharel wrote:
> The checksums is definitely the problem  Adding the -k none allows me
> to see what I expect and all my rules seem to be alerting now. 
> However, I'm not sending any traffic from my snort box.  How can I
> troubleshoot this further?  Any idea?
> By the way...very good catch!  I'm glad I included the Snort output!
>
>
> ------------------------------------------------------------------------
> *From:* "snort-users-request at lists.sourceforge.net"
> <snort-users-request at lists.sourceforge.net>
> *To:* snort-users at lists.sourceforge.net
> *Sent:* Thursday, February 12, 2009 10:27:18 AM
> *Subject:* Snort-users Digest, Vol 33, Issue 10
>
> Send Snort-users mailing list submissions to
>     snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>     https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>     snort-users-request at lists.sourceforge.net
> <mailto:snort-users-request at lists.sourceforge.net>
>
> You can reach the person managing the list at
>     snort-users-owner at lists.sourceforge.net
> <mailto:snort-users-owner at lists.sourceforge.net>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>   1. Re: Snort not seeing all traffic (Joel Esler)
>   2. Re: Snort not seeing all traffic (Todd Wease)
>   3. Re: Snort not seeing all traffic (Jack Pepper)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 12 Feb 2009 12:21:02 -0500
> From: Joel Esler <eslerj at ...11827... <mailto:eslerj at ...11827...>>
> Subject: Re: [Snort-users] Snort not seeing all traffic
> To: Jimmy Tharel <jtharel at ...131... <mailto:jtharel at ...131...>>
> Cc: snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>
> Message-ID:
>     <8c643a500902120921v89bfcfeq86547bf24d0f6deb at ...11828...
> <mailto:8c643a500902120921v89bfcfeq86547bf24d0f6deb at ...11828...>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Jimmy, it's hard for us to troubleshoot was is going on if Snort, did
> indeed drop packets.  We can't rule out with 100% certainty that Snort
> isn't seeing the traffic, if in fact, it's dropping packets.
>
> Can you capture a pcap of the traffic, run Snort against the pcap?
> That way we can rule out dropped packets?
>
> Joel
>
> It's obviously seeing the traffic, as you are getting alerts.
>
> On Thu, Feb 12, 2009 at 11:54 AM, Jimmy Tharel <jtharel at ...131...
> <mailto:jtharel at ...131...>> wrote:
> > Initially I thought I had a problem with a rule that I wrote but it
> appears
> > Snort isn't seeing all of the data coming over the wire.  I wrote a
> simple
> > rule:
> >
> > alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
> > classtype:attempted-dos; sid:2000000; rev:1;)
> >
> > I sent 50 packets across the wire and Snort only picked up 10 of
> them and
> > alerted.  I had tcpdump running at the same time and it picked up all of
> > them.
> >
> > I'm currently running 2.8.3.2.  It doesn't look like I'm dropping
> packets
> > (especially since tcpdump sees the traffic, and the snort output
> shows very
> > little packet loss), my cpu and memory are not be taxed at all. 
> Currently I
> > only have the one rule enable plus the preprocessors.
> >
> > Does anybody have any idea what could be happening?  If you need any
> more
> > info I will be happy to share it.
> >
> > Below are my snort.conf and the output of Snort running for a brief
> period
> > of time when the 50 packets where sent.
> >
> > Here is my snort.conf:
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var DNS_SERVERS [10.196.4.1,10.196.4.2]
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS
> >
> [10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > portvar HTTP_PORTS 80
> > portvar SHELLCODE_PORTS !80
> > portvar ORACLE_PORTS 1521
> > var AIM_SERVERS
> >
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> > var RULE_PATH /etc/snort/rules
> > var PREPROC_RULE_PATH /etc/snort/preproc_rules
> >
> > config disable_decode_alerts
> > config disable_tcpopt_experimental_alerts
> > config disable_tcpopt_obsolete_alerts
> > config disable_tcpopt_ttcp_alerts
> > config disable_tcpopt_alerts
> > config disable_ipopt_alerts
> >
> > dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> > dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> >
> > preprocessor frag3_global: max_frags 65536
> > preprocessor frag3_engine: policy first detect_anomalies
> >
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >                              track_udp no
> > preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> >
> > preprocessor http_inspect: global \
> >    iis_unicode_map unicode.map 1252
> >
> > preprocessor http_inspect_server: server default \
> >    profile all ports { 80 8080 8180 } oversize_dir_length 500 \
> >    no_alerts
> >
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> >
> > preprocessor ftp_telnet: global \
> >    encrypted_traffic yes \
> >    inspection_type stateful
> >
> > preprocessor ftp_telnet_protocol: telnet \
> >    normalize \
> >    ayt_attack_thresh 200
> >
> > preprocessor ftp_telnet_protocol: ftp server default \
> >    def_max_param_len 100 \
> >    alt_max_param_len 200 { CWD } \
> >    cmd_validity MODE < char ASBCZ > \
> >    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> >    telnet_cmds yes \
> >    data_chan
> >
> > preprocessor ftp_telnet_protocol: ftp client default \
> >    max_resp_len 256 \
> >    bounce yes \
> >    telnet_cmds yes
> >
> > preprocessor smtp: \
> >  ports { 25 587 691 } \
> >  inspection_type stateful \
> >  normalize cmds \
> >  normalize_cmds { EXPN VRFY RCPT } \
> >  alt_max_command_line_len 260 { MAIL } \
> >  alt_max_command_line_len 300 { RCPT } \
> >  alt_max_command_line_len 500 { HELP HELO ETRN } \
> >  alt_max_command_line_len 255 { EXPN VRFY }
> >
> > preprocessor dcerpc: \
> >    autodetect \
> >    max_frag_size 3000 \
> >    memcap 100000
> >
> > preprocessor dns: \
> >    ports { 53 } \
> >    enable_rdata_overflow
> >
> > preprocessor ssl: noinspect_encrypted
> >
> > output alert_unified: filename snort.alert, limit 128
> > output log_unified: filename snort.log, limit 128
> >
> > include classification.config
> > include reference.config
> >
> > include $RULE_PATH/local.rules
> >
> > include threshold.conf
> >
> > Here is the output of Snort:
> >
> > un time prior to being shutdown was 28.595880 seconds
> >
> ===============================================================================
> > Packet Wire Totals:
> >    Received:      908053
> >    Analyzed:      907663 (99.957%)
> >    Dropped:          380 (0.042%)
> > Outstanding:          10 (0.001%)
> >
> ===============================================================================
> > Breakdown by protocol (includes rebuilt packets):
> >      ETH: 909784    (100.000%)
> >  ETHdisc: 0          (0.000%)
> >      VLAN: 0          (0.000%)
> >      IPV6: 0          (0.000%)
> >  IP6 EXT: 0          (0.000%)
> >  IP6opts: 0          (0.000%)
> >  IP6disc: 0          (0.000%)
> >      IP4: 907996    (99.803%)
> >  IP4disc: 0          (0.000%)
> >    TCP 6: 0          (0.000%)
> >    UDP 6: 0          (0.000%)
> >    ICMP6: 0          (0.000%)
> >  ICMP-IP: 0          (0.000%)
> >      TCP: 901746    (99.116%)
> >      UDP: 3110      (0.342%)
> >      ICMP: 1007      (0.111%)
> >  TCPdisc: 0          (0.000%)
> >  UDPdisc: 0          (0.000%)
> >  ICMPdis: 0          (0.000%)
> >      FRAG: 0          (0.000%)
> >    FRAG 6: 0          (0.000%)
> >      ARP: 506        (0.056%)
> >    EAPOL: 0          (0.000%)
> >  ETHLOOP: 0          (0.000%)
> >      IPX: 0          (0.000%)
> >    OTHER: 1294      (0.142%)
> >  DISCARD: 0          (0.000%)
> > InvChkSum: 627722    (68.997%)
> >    S5 G 1: 0          (0.000%)
> >    S5 G 2: 2121      (0.233%)
> >    Total: 909784
> >
> ===============================================================================
> > Action Stats:
> > ALERTS: 10
> > LOGGED: 10
> > PASSED: 0
> >
> ===============================================================================
> > Frag3 statistics:
> >        Total Fragments: 0
> >      Frags Reassembled: 0
> >                Discards: 0
> >          Memory Faults: 0
> >                Timeouts: 0
> >                Overlaps: 0
> >              Anomalies: 0
> >                  Alerts: 0
> >      FragTrackers Added: 0
> >    FragTrackers Dumped: 0
> > FragTrackers Auto Freed: 0
> >    Frag Nodes Inserted: 0
> >      Frag Nodes Deleted: 0
> >
> ===============================================================================
> > Stream5 statistics:
> >            Total sessions: 15463
> >              TCP sessions: 15463
> >              UDP sessions: 0
> >              ICMP sessions: 0
> >                TCP Prunes: 0
> >                UDP Prunes: 0
> >                ICMP Prunes: 0
> > TCP StreamTrackers Created: 15463
> > TCP StreamTrackers Deleted: 15463
> >              TCP Timeouts: 0
> >              TCP Overlaps: 1
> >        TCP Segments Queued: 8631
> >      TCP Segments Released: 8631
> >        TCP Rebuilt Packets: 4075
> >          TCP Segments Used: 4260
> >              TCP Discards: 19042
> >      UDP Sessions Created: 0
> >      UDP Sessions Deleted: 0
> >              UDP Timeouts: 0
> >              UDP Discards: 0
> >                    Events: 0
> >
> ===============================================================================
> > HTTP Inspect - encodings (Note: stream-reassembled packets included):
> >    POST methods:                  1042
> >    GET methods:                    1305
> >    Headers extracted:              2342
> >    Header Cookies extracted:      821
> >    Post parameters extracted:      15
> >    Unicode:                        0
> >    Double unicode:                0
> >    Non-ASCII representable:        171
> >    Base 36:                        0
> >    Directory traversals:          0
> >    Extra slashes ("//"):          26
> >    Self-referencing paths ("./"):  0
> >    Total packets processed:        218047
> >
> ===============================================================================
> > SSL Preprocessor:
> >    SSL packets decoded: 1523
> >          Client Hello: 12
> >          Server Hello: 24
> >            Certificate: 1
> >            Server Done: 85
> >    Client Key Exchange: 6
> >    Server Key Exchange: 0
> >          Change Cipher: 108
> >              Finished: 0
> >    Client Application: 30
> >    Server Application: 273
> >                  Alert: 9
> >  Unrecognized records: 1169
> >  Completed handshakes: 2
> >        Bad handshakes: 0
> >      Sessions ignored: 5
> >    Detection disabled: 0
> >
> ===============================================================================
> > Snort exiting
>
>
>
>
> -- 
> Joel Esler
> http://www.joelesler.net
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 12 Feb 2009 12:25:29 -0500
> From: Todd Wease <twease at ...1935... <mailto:twease at ...1935...>>
> Subject: Re: [Snort-users] Snort not seeing all traffic
> To: Jimmy Tharel <jtharel at ...131... <mailto:jtharel at ...131...>>
> Cc: snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>
> Message-ID: <49945B89.5040406 at ...1935...
> <mailto:49945B89.5040406 at ...1935...>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Jimmy,
>
> Looks like you might be sending traffic from the same box as Snort is
> running on and TCP checksum offloading is occurring.  I noticed this
> from the stats:
>
> InvChkSum: 627722    (68.997%)
>
> That's alot of invalid checksums.  Try adding "-k none" to your command
> line while testing.  This will disable Snort checking checksums.
>
> Todd
>
>
> Jimmy Tharel wrote:
> > Initially I thought I had a problem with a rule that I wrote but it
> > appears Snort isn't seeing all of the data coming over the wire.  I
> > wrote a simple rule:
> >
> > alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
> > classtype:attempted-dos; sid:2000000; rev:1;)
> >
> > I sent 50 packets across the wire and Snort only picked up 10 of them
> > and alerted.  I had tcpdump running at the same time and it picked up
> > all of them.
> >
> > I'm currently running 2.8.3.2.  It doesn't look like I'm dropping
> > packets (especially since tcpdump sees the traffic, and the snort
> > output shows very little packet loss), my cpu and memory are not be
> > taxed at all.  Currently I only have the one rule enable plus the
> > preprocessors.
> >
> > Does anybody have any idea what could be happening?  If you need any
> > more info I will be happy to share it.
> >
> > Below are my snort.conf and the output of Snort running for a brief
> > period of time when the 50 packets where sent.
> >
> > Here is my snort.conf:
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var DNS_SERVERS [10.196.4.1,10.196.4.2]
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS
> >
> [10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > portvar HTTP_PORTS 80
> > portvar SHELLCODE_PORTS !80
> > portvar ORACLE_PORTS 1521
> > var AIM_SERVERS
> >
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> > var RULE_PATH /etc/snort/rules
> > var PREPROC_RULE_PATH /etc/snort/preproc_rules
> >
> > config disable_decode_alerts
> > config disable_tcpopt_experimental_alerts
> > config disable_tcpopt_obsolete_alerts
> > config disable_tcpopt_ttcp_alerts
> > config disable_tcpopt_alerts
> > config disable_ipopt_alerts
> >
> > dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> > dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> >
> > preprocessor frag3_global: max_frags 65536
> > preprocessor frag3_engine: policy first detect_anomalies
> >
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >                              track_udp no
> > preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> >
> > preprocessor http_inspect: global \
> >    iis_unicode_map unicode.map 1252
> >
> > preprocessor http_inspect_server: server default \
> >    profile all ports { 80 8080 8180 } oversize_dir_length 500 \
> >    no_alerts
> >
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> >
> > preprocessor ftp_telnet: global \
> >    encrypted_traffic yes \
> >    inspection_type stateful
> >
> > preprocessor ftp_telnet_protocol: telnet \
> >    normalize \
> >    ayt_attack_thresh 200
> >
> > preprocessor ftp_telnet_protocol: ftp server default \
> >    def_max_param_len 100 \
> >    alt_max_param_len 200 { CWD } \
> >    cmd_validity MODE < char ASBCZ > \
> >    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> >    telnet_cmds yes \
> >    data_chan
> >
> > preprocessor ftp_telnet_protocol: ftp client default \
> >    max_resp_len 256 \
> >    bounce yes \
> >    telnet_cmds yes
> >
> > preprocessor smtp: \
> >  ports { 25 587 691 } \
> >  inspection_type stateful \
> >  normalize cmds \
> >  normalize_cmds { EXPN VRFY RCPT } \
> >  alt_max_command_line_len 260 { MAIL } \
> >  alt_max_command_line_len 300 { RCPT } \
> >  alt_max_command_line_len 500 { HELP HELO ETRN } \
> >  alt_max_command_line_len 255 { EXPN VRFY }
> >
> > preprocessor dcerpc: \
> >    autodetect \
> >    max_frag_size 3000 \
> >    memcap 100000
> >
> > preprocessor dns: \
> >    ports { 53 } \
> >    enable_rdata_overflow
> >
> > preprocessor ssl: noinspect_encrypted
> >
> > output alert_unified: filename snort.alert, limit 128
> > output log_unified: filename snort.log, limit 128
> >
> > include classification.config
> > include reference.config
> >
> > include $RULE_PATH/local.rules
> >
> > include threshold.conf
> >
> > Here is the output of Snort:
> >
> > un time prior to being shutdown was 28.595880 seconds
> >
> ===============================================================================
> > Packet Wire Totals:
> >    Received:      908053
> >    Analyzed:      907663 (99.957%)
> >    Dropped:          380 (0.042%)
> > Outstanding:          10 (0.001%)
> >
> ===============================================================================
> > Breakdown by protocol (includes rebuilt packets):
> >      ETH: 909784    (100.000%)
> >  ETHdisc: 0          (0.000%)
> >      VLAN: 0          (0.000%)
> >      IPV6: 0          (0.000%)
> >  IP6 EXT: 0          (0.000%)
> >  IP6opts: 0          (0.000%)
> >  IP6disc: 0          (0.000%)
> >      IP4: 907996    (99.803%)
> >  IP4disc: 0          (0.000%)
> >    TCP 6: 0          (0.000%)
> >    UDP 6: 0          (0.000%)
> >    ICMP6: 0          (0.000%)
> >  ICMP-IP: 0          (0.000%)
> >      TCP: 901746    (99.116%)
> >      UDP: 3110      (0.342%)
> >      ICMP: 1007      (0.111%)
> >  TCPdisc: 0          (0.000%)
> >  UDPdisc: 0          (0.000%)
> >  ICMPdis: 0          (0.000%)
> >      FRAG: 0          (0.000%)
> >    FRAG 6: 0          (0.000%)
> >      ARP: 506        (0.056%)
> >    EAPOL: 0          (0.000%)
> >  ETHLOOP: 0          (0.000%)
> >      IPX: 0          (0.000%)
> >    OTHER: 1294      (0.142%)
> >  DISCARD: 0          (0.000%)
> > InvChkSum: 627722    (68.997%)
> >    S5 G 1: 0          (0.000%)
> >    S5 G 2: 2121      (0.233%)
> >    Total: 909784 
> >
> ===============================================================================
> > Action Stats:
> > ALERTS: 10
> > LOGGED: 10
> > PASSED: 0
> >
> ===============================================================================
> > Frag3 statistics:
> >        Total Fragments: 0
> >      Frags Reassembled: 0
> >                Discards: 0
> >          Memory Faults: 0
> >                Timeouts: 0
> >                Overlaps: 0
> >              Anomalies: 0
> >                  Alerts: 0
> >      FragTrackers Added: 0
> >    FragTrackers Dumped: 0
> > FragTrackers Auto Freed: 0
> >    Frag Nodes Inserted: 0
> >      Frag Nodes Deleted: 0
> >
> ===============================================================================
> > Stream5 statistics:
> >            Total sessions: 15463
> >              TCP sessions: 15463
> >              UDP sessions: 0
> >              ICMP sessions: 0
> >                TCP Prunes: 0
> >                UDP Prunes: 0
> >                ICMP Prunes: 0
> > TCP StreamTrackers Created: 15463
> > TCP StreamTrackers Deleted: 15463
> >              TCP Timeouts: 0
> >              TCP Overlaps: 1
> >        TCP Segments Queued: 8631
> >      TCP Segments Released: 8631
> >        TCP Rebuilt Packets: 4075
> >          TCP Segments Used: 4260
> >              TCP Discards: 19042
> >      UDP Sessions Created: 0
> >      UDP Sessions Deleted: 0
> >              UDP Timeouts: 0
> >              UDP Discards: 0
> >                    Events: 0
> >
> ===============================================================================
> > HTTP Inspect - encodings (Note: stream-reassembled packets included):
> >    POST methods:                  1042   
> >    GET methods:                    1305   
> >    Headers extracted:              2342   
> >    Header Cookies extracted:      821     
> >    Post parameters extracted:      15     
> >    Unicode:                        0       
> >    Double unicode:                0       
> >    Non-ASCII representable:        171     
> >    Base 36:                        0       
> >    Directory traversals:          0       
> >    Extra slashes ("//"):          26     
> >    Self-referencing paths ("./"):  0       
> >    Total packets processed:        218047 
> >
> ===============================================================================
> > SSL Preprocessor:
> >    SSL packets decoded: 1523   
> >          Client Hello: 12     
> >          Server Hello: 24     
> >            Certificate: 1       
> >            Server Done: 85     
> >    Client Key Exchange: 6       
> >    Server Key Exchange: 0       
> >          Change Cipher: 108     
> >              Finished: 0       
> >    Client Application: 30     
> >    Server Application: 273     
> >                  Alert: 9       
> >  Unrecognized records: 1169   
> >  Completed handshakes: 2       
> >        Bad handshakes: 0       
> >      Sessions ignored: 5       
> >    Detection disabled: 0       
> >
> ===============================================================================
> > Snort exiting
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> ------------------------------------------------------------------------------
> > 
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> <mailto:Snort-users at lists.sourceforge.net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 12 Feb 2009 11:27:11 -0600
> From: Jack Pepper <pepperjack at ...14319...
> <mailto:pepperjack at ...14319...>>
> Subject: Re: [Snort-users] Snort not seeing all traffic
> To: Jimmy Tharel <jtharel at ...131... <mailto:jtharel at ...131...>>
> Cc: snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>
> Message-ID:
>     <20090212112711.4p7oftafvo4csoo4 at ...14320...
> <mailto:20090212112711.4p7oftafvo4csoo4 at ...14320...>>
> Content-Type: text/plain;    charset=ISO-8859-1;    DelSp="Yes";
>     format="flowed"
>
> Looks like you're dropping packets.  funny thing about dropping 
> packets: there's no way to know which packets were dropped.  Your 
> sample looked at about a million packets in less than 30 seconds.
>
>
> jp
>
> Quoting Jimmy Tharel <jtharel at ...131... <mailto:jtharel at ...131...>>:
>
> > Initially I thought I had a problem with a rule that I wrote but it 
> > appears Snort isn't seeing all of the data coming over the wire.  I 
> > wrote a simple rule:
> >
> > alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule"; 
> > classtype:attempted-dos; sid:2000000; rev:1;)
> >
> > I sent 50 packets across the wire and Snort only picked up 10 of 
> > them and alerted.  I had tcpdump running at the same time and it 
> > picked up all of them.
> >
> > I'm currently running 2.8.3.2.  It doesn't look like I'm dropping 
> > packets (especially since tcpdump sees the traffic, and the snort 
> > output shows very little packet loss), my cpu and memory are not be 
> > taxed at all.  Currently I only have the one rule enable plus the 
> > preprocessors.
> >
> > Does anybody have any idea what could be happening?  If you need any 
> > more info I will be happy to share it.
> >
> > Below are my snort.conf and the output of Snort running for a brief 
> > period of time when the 50 packets where sent.
> >
> > Here is my snort.conf:
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var DNS_SERVERS [10.196.4.1,10.196.4.2]
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS 
> >
> [10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > portvar HTTP_PORTS 80
> > portvar SHELLCODE_PORTS !80
> > portvar ORACLE_PORTS 1521
> > var AIM_SERVERS 
> >
> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> > var RULE_PATH /etc/snort/rules
> > var PREPROC_RULE_PATH /etc/snort/preproc_rules
> >
> > config disable_decode_alerts
> > config disable_tcpopt_experimental_alerts
> > config disable_tcpopt_obsolete_alerts
> > config disable_tcpopt_ttcp_alerts
> > config disable_tcpopt_alerts
> > config disable_ipopt_alerts
> >
> > dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> > dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> >
> > preprocessor frag3_global: max_frags 65536
> > preprocessor frag3_engine: policy first detect_anomalies
> >
> > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >                              track_udp no
> > preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> >
> > preprocessor http_inspect: global \
> >    iis_unicode_map unicode.map 1252
> >
> > preprocessor http_inspect_server: server default \
> >    profile all ports { 80 8080 8180 } oversize_dir_length 500 \
> >    no_alerts
> >
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> >
> > preprocessor ftp_telnet: global \
> >    encrypted_traffic yes \
> >    inspection_type stateful
> >
> > preprocessor ftp_telnet_protocol: telnet \
> >    normalize \
> >    ayt_attack_thresh 200
> >
> > preprocessor ftp_telnet_protocol: ftp server default \
> >    def_max_param_len 100 \
> >    alt_max_param_len 200 { CWD } \
> >    cmd_validity MODE < char ASBCZ > \
> >    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> >    telnet_cmds yes \
> >    data_chan
> >
> > preprocessor ftp_telnet_protocol: ftp client default \
> >    max_resp_len 256 \
> >    bounce yes \
> >    telnet_cmds yes
> >
> > preprocessor smtp: \
> >  ports { 25 587 691 } \
> >  inspection_type stateful \
> >  normalize cmds \
> >  normalize_cmds { EXPN VRFY RCPT } \
> >  alt_max_command_line_len 260 { MAIL } \
> >  alt_max_command_line_len 300 { RCPT } \
> >  alt_max_command_line_len 500 { HELP HELO ETRN } \
> >  alt_max_command_line_len 255 { EXPN VRFY }
> >
> > preprocessor dcerpc: \
> >    autodetect \
> >    max_frag_size 3000 \
> >    memcap 100000
> >
> > preprocessor dns: \
> >    ports { 53 } \
> >    enable_rdata_overflow
> >
> > preprocessor ssl: noinspect_encrypted
> >
> > output alert_unified: filename snort.alert, limit 128
> > output log_unified: filename snort.log, limit 128
> >
> > include classification.config
> > include reference.config
> >
> > include $RULE_PATH/local.rules
> >
> > include threshold.conf
> >
> > Here is the output of Snort:
> >
> > un time prior to being shutdown was 28.595880 seconds
> >
> ===============================================================================
> > Packet Wire Totals:
> >    Received:      908053
> >    Analyzed:      907663 (99.957%)
> >    Dropped:          380 (0.042%)
> > Outstanding:          10 (0.001%)
> >
> ===============================================================================
> > Breakdown by protocol (includes rebuilt packets):
> >      ETH: 909784    (100.000%)
> >  ETHdisc: 0          (0.000%)
> >      VLAN: 0          (0.000%)
> >      IPV6: 0          (0.000%)
> >  IP6 EXT: 0          (0.000%)
> >  IP6opts: 0          (0.000%)
> >  IP6disc: 0          (0.000%)
> >      IP4: 907996    (99.803%)
> >  IP4disc: 0          (0.000%)
> >    TCP 6: 0          (0.000%)
> >    UDP 6: 0          (0.000%)
> >    ICMP6: 0          (0.000%)
> >  ICMP-IP: 0          (0.000%)
> >      TCP: 901746    (99.116%)
> >      UDP: 3110      (0.342%)
> >      ICMP: 1007      (0.111%)
> >  TCPdisc: 0          (0.000%)
> >  UDPdisc: 0          (0.000%)
> >  ICMPdis: 0          (0.000%)
> >      FRAG: 0          (0.000%)
> >    FRAG 6: 0          (0.000%)
> >      ARP: 506        (0.056%)
> >    EAPOL: 0          (0.000%)
> >  ETHLOOP: 0          (0.000%)
> >      IPX: 0          (0.000%)
> >    OTHER: 1294      (0.142%)
> >  DISCARD: 0          (0.000%)
> > InvChkSum: 627722    (68.997%)
> >    S5 G 1: 0          (0.000%)
> >    S5 G 2: 2121      (0.233%)
> >    Total: 909784
> >
> ===============================================================================
> > Action Stats:
> > ALERTS: 10
> > LOGGED: 10
> > PASSED: 0
> >
> ===============================================================================
> > Frag3 statistics:
> >        Total Fragments: 0
> >      Frags Reassembled: 0
> >                Discards: 0
> >          Memory Faults: 0
> >                Timeouts: 0
> >                Overlaps: 0
> >              Anomalies: 0
> >                  Alerts: 0
> >      FragTrackers Added: 0
> >    FragTrackers Dumped: 0
> > FragTrackers Auto Freed: 0
> >    Frag Nodes Inserted: 0
> >      Frag Nodes Deleted: 0
> >
> ===============================================================================
> > Stream5 statistics:
> >            Total sessions: 15463
> >              TCP sessions: 15463
> >              UDP sessions: 0
> >              ICMP sessions: 0
> >                TCP Prunes: 0
> >                UDP Prunes: 0
> >                ICMP Prunes: 0
> > TCP StreamTrackers Created: 15463
> > TCP StreamTrackers Deleted: 15463
> >              TCP Timeouts: 0
> >              TCP Overlaps: 1
> >        TCP Segments Queued: 8631
> >      TCP Segments Released: 8631
> >        TCP Rebuilt Packets: 4075
> >          TCP Segments Used: 4260
> >              TCP Discards: 19042
> >      UDP Sessions Created: 0
> >      UDP Sessions Deleted: 0
> >              UDP Timeouts: 0
> >              UDP Discards: 0
> >                    Events: 0
> >
> ===============================================================================
> > HTTP Inspect - encodings (Note: stream-reassembled packets included):
> >    POST methods:                  1042
> >    GET methods:                    1305
> >    Headers extracted:              2342
> >    Header Cookies extracted:      821
> >    Post parameters extracted:      15
> >    Unicode:                        0
> >    Double unicode:                0
> >    Non-ASCII representable:        171
> >    Base 36:                        0
> >    Directory traversals:          0
> >    Extra slashes ("//"):          26
> >    Self-referencing paths ("./"):  0
> >    Total packets processed:        218047
> >
> ===============================================================================
> > SSL Preprocessor:
> >    SSL packets decoded: 1523
> >          Client Hello: 12
> >          Server Hello: 24
> >            Certificate: 1
> >            Server Done: 85
> >    Client Key Exchange: 6
> >    Server Key Exchange: 0
> >          Change Cipher: 108
> >              Finished: 0
> >    Client Application: 30
> >    Server Application: 273
> >                  Alert: 9
> >  Unrecognized records: 1169
> >  Completed handshakes: 2
> >        Bad handshakes: 0
> >      Sessions ignored: 5
> >    Detection disabled: 0
> >
> ===============================================================================
> > Snort exiting
> >
> >
> >
>
> -- 
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate 
> http://www.afferentsecurity.com
>
>
>
>
> ------------------------------
>
> ------------------------------------------------------------------------------
>
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> <mailto:Snort-users at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 33, Issue 10
> *******************************************
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list