[Snort-users] weirdness

Will Metcalf william.metcalf at ...11827...
Mon Aug 16 13:39:24 EDT 2010


So I was doing some perf profiling of ET sigs and I'm seeing something
sort of odd working with snort-2.8.6.1 that perhaps someone form SF
can explain to me.  I have a pcap that has all public traffic in it, I
forgot to modify $HOME_NET to be the proper public address space and
instead left it as rfc1918 addys. I have perf stats turned on and it
seems that the worst performing rules are rules which try to match on
something like...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"some msg";
flow:established,to_server; uricontent:"common match";
uricontent:"short match";

My question is... why is this?  shouldn't flow direction, state, and
direction of the traffic prevent the pm from being invoked in the
first place?  Just to verify I didn't have any internal traffic
floating around the pcap, I made a new pcap from the original
excluding everything that should be in my $HOME_NET

#generate new pcap
tcpdump -w norfc1918.pcap -r /pcaps/nofuzz/publictraffic.pcap not net
\(10.0.0.0/8 or 192.168.0.0/16 or 172.16.0.0/12\)

#validate there is no internal traffic in the pcap
wmetcalf at ...3425...:~/idstoolout$ tcpdump -n -r norfc1918.pcap net
\(10.0.0.0/8 or 192.168.0.0/16 or 172.16.0.0/12\)
reading from file norfc1918.pcap, link-type EN10MB (Ethernet)
wmetcalf at ...3425...:~/idstoolout$

#relevant bits of the snort.conf
var HOME_NET [10.0.0.0/8,192.168.0.0/16,172.16.0.0/12]
# Set up the external network addresses.  A good start may be "any"
var EXTERNAL_NET any

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of ports you run web servers on
portvar HTTP_PORTS  [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]

#cli for running the pcap through snort-2.8.6.1
/opt/snort2861/bin/snort -c /opt/snort2861/etc/snort.conf -l ./ -A
console -k none -q -r norfc1918.pcap

#top three lines of per stats
Rule Profile Statistics (worst 50 rules)
==========================================================
   Num      SID GID Rev     Checks   Matches    Alerts
Microsecs  Avg/Check  Avg/Match Avg/Nonmatch
   ===      === === ===     ======   =======    ======
=========  =========  ========= ============
     1  2006614   1   5      12511         0         0
297276       23.8        0.0         23.8
     2  2011189   1   2         15         0         0
323       21.6        0.0         21.6
     3  2003794   1   6         20         0         0
376       18.8        0.0         18.8

#Top three worst performing rules.. Why? shouldn't flow and traffic
dir prevent these from being checked.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt --
index.php D UPDATE"; flow:established,to_server;
uricontent:"/index.php?"; nocase; uricontent:"D="; nocase;
uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui";
classtype:web-application-attack; reference:cve,CVE-2006-6446;
reference:url,www.securityfocus.com/bid/21467;
reference:url,doc.emergingthreats.net/2006614;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_iWare_Pro;
sid:2006614; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Possible Cisco IOS HTTP Server Cross Site Scripting
Attempt"; flow:established,to_server; content:"GET "; depth:4;
uricontent:"/ping?"; nocase;
pcre:"/ping.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui";
classtype:web-application-attack;
reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17364;
reference:url,www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html;
reference:cve,2008-3821;
reference:url,doc.emergingthreats.net/2011189;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Cisco;
sid:2011189; rev:2;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt --
stylesheet.php templateid SELECT"; flow:established,to_server;
uricontent:"/stylesheet.php?"; nocase; uricontent:"templateid=";
nocase; pcre:"/.+SELECT.+FROM/Ui"; classtype:web-application-attack;
reference:cve,CVE-2007-2473;
reference:url,www.securityfocus.com/bid/23753;
reference:url,doc.emergingthreats.net/2003794;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_CMS_Made_Simple;
sid:2003794; rev:6;)




More information about the Snort-users mailing list