[Snort-users] Trying to trouble shoot snort isntall.

Jason Wallace jason.r.wallace at ...11827...
Wed Feb 3 13:03:42 EST 2010


Wait a minute! I see something similar to this, but I thought mine was
working...

I have compiled with --enable-decoder-preprocessor-rules and am using
the precompiled SO rules.

Jan 27 12:57:39 snort[30726]:
+++++++++++++++++++++++++++++++++++++++++++++++++++
Jan 27 12:57:39 snort[30726]: Initializing rule chains...
Jan 27 12:57:39 snort[30726]: Warning:
/etc/snort/rules/vrt/backdoor.rules(649) => threshold (in rule) is
deprecated; use detection_filter instead.
Jan 27 12:57:42 snort[30726]: 5748 Snort rules read
Jan 27 12:57:42 snort[30726]:     5506 detection rules
Jan 27 12:57:42 snort[30726]:     65 decoder rules
Jan 27 12:57:42 snort[30726]:     177 preprocessor rules
Jan 27 12:57:42 snort[30726]: 5748 Option Chains linked into 588 Chain Headers
Jan 27 12:57:42 snort[30726]: 0 Dynamic rules
Jan 27 12:57:42 snort[30726]:
+++++++++++++++++++++++++++++++++++++++++++++++++++

I see decoder and preprocessor rules loaded but no "Dynamic rules"

However I also see messages like this for SO rules I have disabled....

Jan 27 12:57:45 snort[30726]: DynamicPlugin: Rule [3:16188] not
enabled in configuration, rule will not be used.

And...

Jan 27 12:57:45 snort[30726]: | gen-id=3      sig-id=15522
type=Threshold tracking=dst count=200 seconds=30
Jan 27 12:57:45 snort[30726]: | gen-id=3      sig-id=15851
type=Both      tracking=dst count=12  seconds=1
Jan 27 12:57:45 snort[30726]: | gen-id=3      sig-id=15474
type=Threshold tracking=src count=50  seconds=10

And I am getting alerts on SO rules. For example I have seen a couple
of hits today on GID:3 SID:16180 "msg:"WEB-CLIENT Windows CryptoAPI
common name spoofing attempt""

I'm using 2.8.5.2. Here is part of my config...

dynamicpreprocessor directory /usr/lib64/snort_dynamicpreprocessor
dynamicengine /usr/lib64/snort_dynamicengine/libsf_engine.so
dynamicdetection file /usr/lib64/snort_dynamicrule/web-misc.so
[...]
var SO_RULE_PATH /etc/snort/rules/so
include $SO_RULE_PATH/web-misc.rules

snort # ls -l /usr/lib64/snort_dynamicrule/web-misc.so
-rwxr-xr-x 1 root root 106388 2010-01-27 12:08
/usr/lib64/snort_dynamicrule/web-misc.so

So why would my Dynamic rules show 0 ??

Wally

On Wed, Feb 3, 2010 at 11:14 AM, Matt Watchinski
<mwatchinski at ...1935...> wrote:
> If you didn't compile with
>
> ./configure --enable-decoder-preprocessor-rules
>
> Then alerting works the old way.
>
> Cheers,
> -matt
>
> On Wed, Feb 3, 2010 at 11:00 AM, Andy Berryman <aberryman at ...14758...> wrote:
>>
>> Well, if I'm not loading the preprocessor rules, why do I get http_inspect
>> alerts and portscan alerts? Do the preprocessors generate alerts on the
>> default settings regardless if a rule is applied or not?
>>
>> Thanks,
>> Andy
>>
>> -----Original Message-----
>> From: Nigel Houghton [mailto:nhoughton at ...1935...]
>> Sent: Wednesday, February 03, 2010 9:43 AM
>> To: Andy Berryman
>> Cc: Snort Users List
>> Subject: Re: [Snort-users] Trying to trouble shoot snort isntall.
>>
>> On Wed, Feb 3, 2010 at 10:13 AM, Matt Watchinski
>> <mwatchinski at ...1935...> wrote:
>> > Did you tell snort you want to use the preproc and decoder rules?  I
>> > don't
>> > see the rules included in your pasted conf.  You have to first enable
>> > the
>> > use of this feature with:
>> >
>> > ./configure --enable-decoder-preprocessor-rules
>> >
>> > Then add the rules files from here:
>> >
>> > src/snort-2.8.5.1/preproc_rules/decoder.rules
>> > src/snort-2.8.5.1/preproc_rules/preprocessor.rules
>> >
>> > Cheers,
>> > -matt
>> >
>> > On Tue, Feb 2, 2010 at 4:53 PM, Andy Berryman <aberryman at ...14758...>
>> > wrote:
>> >>
>> >> Can someone point me in the right direction please? I'm trying to
>> >> figure
>> >> out if I'm chasing my tail here. Basically when I start snort I tail
>> >> syslog
>> >> and see this.
>> >>
>> >>
>> >>
>> >> Feb  2 21:26:59 (none) snort[19257]:
>> >> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> >>
>> >> Feb  2 21:26:59 (none) snort[19257]: Initializing rule chains...
>> >>
>> >> Feb  2 21:27:15 (none) snort[19257]: 5866 Snort rules read
>> >>
>> >> Feb  2 21:27:15 (none) snort[19257]:     5866 detection rules
>> >>
>> >> Feb  2 21:27:15 (none) snort[19257]:     0 decoder rules
>> >>
>> >> Feb  2 21:27:15 (none) snort[19257]:     0 preprocessor rules
>> >>
>> >> Feb  2 21:27:15 (none) snort[19257]: 5866 Option Chains linked into 624
>> >> Chain Headers
>> >>
>> >> Feb  2 21:27:15 (none) snort[19257]: 0 Dynamic rules
>> >>
>> >> Feb  2 21:27:15 (none) snort[19257]:
>> >> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Doesn't that tell me that it's not loading any of the preprocessor,
>> >> decoder, or dynamic rules?
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Here is more from syslog where it says it is loading them I thought.
>> >>
>> >> Loading all dynamic engine libs from /snort_lib/snort_dynamicengine...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic engine
>> >> /snort_lib/snort_dynamicengine/libsf_engine.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
>> >> engine
>> >> libs from /snort_lib/snort_dynamicengine
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic detection libs
>> >> from /snort_lib/snort_dynamicrules...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/bad-traffic.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/chat.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >>  /snort_lib/snort_dynamicrules/dos.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/exploit.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/imap.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/misc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/multimedia.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/netbios.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/nntp.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/p2p.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/smtp.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/sql.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/web-client.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/web-misc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/web-activex.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic detection
>> >> library
>> >> /snort_lib/snort_dynamicrules/web-iis.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
>> >> detection libs from /snort_lib/snort_dynamicrules
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: Loading all dynamic preprocessor
>> >> libs
>> >> from /snort_lib/snort_dynamicpreprocessor...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> >> library /snort_lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> >> library /snort_lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> >> library /snort_lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> >> library
>> >> /snort_lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> >> library /snort_lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> >> library /snort_lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Loading dynamic preprocessor
>> >> library /snort_lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so...
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]: done
>> >>
>> >> Feb  2 21:30:14 (none) snort[19434]:   Finished Loading all dynamic
>> >> preprocessor libs from /snort_lib/snort_dynamicpreprocessor
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Here's my snort.conf
>> >>
>> >>
>> >>
>> >> var HOME_NET [10.27.1.0/24,10.10.1.0/24,10.150.1.0/24]
>> >>
>> >> var EXTERNAL_NET !$HOME_NET
>> >>
>> >> var DNS_SERVERS 10.27.1.2
>> >>
>> >> var SMTP_SERVERS $HOME_NET
>> >>
>> >> var HTTP_SERVERS $HOME_NET
>> >>
>> >> var SQL_SERVERS $HOME_NET
>> >>
>> >> var TELNET_SERVERS $HOME_NET
>> >>
>> >> var SNMP_SERVERS $HOME_NET
>> >>
>> >> var HTTP_PORTS 80
>> >>
>> >> var SHELLCODE_PORTS !80
>> >>
>> >> var ORACLE_PORTS 1521
>> >>
>> >> var SSH_PORTS 22
>> >>
>> >> var AIM_SERVERS
>> >>
>> >> [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
>> >>
>> >> var RULE_PATH  /snort/conf
>> >>
>> >> var SORULE_PATH /snort/conf/so_rules
>> >>
>> >> #config detection: search-method ac
>> >>
>> >> config disable_decode_alerts
>> >>
>> >> config disable_tcpopt_experimental_alerts
>> >>
>> >> config profile_rules: print 20, sort total_ticks, filename
>> >> rule_profiles.txt
>> >>
>> >> dynamicdetection directory /snort_lib/snort_dynamicrules
>> >>
>> >> dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor
>> >>
>> >> dynamicengine directory /snort_lib/snort_dynamicengine
>> >>
>> >> config flowbits_size: 256
>> >>
>> >> include classification.config
>> >>
>> >> include reference.config
>> >>
>> >> include $RULE_PATH/general.rules
>> >>
>> >> include $RULE_PATH/local.rules
>> >>
>> >> #include $RULE_PATH/so.rules
>> >>
>> >> include $SORULE_PATH/bad-traffic.rules
>> >>
>> >> include $SORULE_PATH/chat.rules
>> >>
>> >> include $SORULE_PATH/dos.rules
>> >>
>> >> include $SORULE_PATH/exploit.rules
>> >>
>> >> include $SORULE_PATH/imap.rules
>> >>
>> >> include $SORULE_PATH/misc.rules
>> >>
>> >> include $SORULE_PATH/multimedia.rules
>> >>
>> >> include $SORULE_PATH/netbios.rules
>> >>
>> >> include $SORULE_PATH/nntp.rules
>> >>
>> >> include $SORULE_PATH/p2p.rules
>> >>
>> >> include $SORULE_PATH/smtp.rules
>> >>
>> >> include $SORULE_PATH/sql.rules
>> >>
>> >> include $SORULE_PATH/web-client.rules
>> >>
>> >> include $SORULE_PATH/web-misc.rules
>> >>
>> >> preprocessor frag3_global: max_frags 65536
>> >>
>> >> preprocessor frag3_engine: policy first detect_anomalies timeout 1800
>> >>
>> >> preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
>> >>
>> >> preprocessor stream5_tcp: policy first
>> >>
>> >> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
>> >>
>> >> preprocessor http_inspect_server: server default profile all ports { 80
>> >> 8080 8180 } oversize_dir_length 500 no_alerts
>> >>
>> >> preprocessor rpc_decode: 111 32771
>> >>
>> >> #preprocessor bo
>> >>
>> >> #preprocessor flow: stats_interval 0 hash 2
>> >>
>> >> preprocessor sfportscan: proto  { all } \
>> >>
>> >>                          scan_type { all } \
>> >>
>> >>                          memcap { 10000000 } \
>> >>
>> >>                          sense_level { medium }
>> >>
>> >> preprocessor perfmonitor: \
>> >>
>> >> time 30 events flow max console pktcnt 10000
>> >>
>> >> preprocessor arpspoof
>> >>
>> >> preprocessor dcerpc2
>> >>
>> >> #preprocessor ssl: noinspect_encrypted
>> >>
>> >> output queue: /var/log/snort/queue/ /snort/conf/sidfile
>> >>
>> >> #output alert_syslog: LOG_AUTH LOG_ALERT
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Thanks,
>> >>
>> >> Andy Berryman
>> >>
>> >> Cymtec Systems
>> >>
>> >> support at ...14758...
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> The Planet: dedicated and managed hosting, cloud storage, colocation
>> >> Stay online with enterprise data centers and the best network in the
>> >> business
>> >> Choose flexible plans and management services without long-term
>> >> contracts
>> >> Personal 24x7 support from experience hosting pros just a phone call
>> >> away.
>> >> http://p.sf.net/sfu/theplanet-com
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> >
>> >
>> > --
>> > Matthew Watchinski
>> > Sr. Director Vulnerability Research Team (VRT)
>> > Sourcefire, Inc.
>> > Office: 410-423-1928
>> > http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > The Planet: dedicated and managed hosting, cloud storage, colocation
>> > Stay online with enterprise data centers and the best network in the
>> > business
>> > Choose flexible plans and management services without long-term
>> > contracts
>> > Personal 24x7 support from experience hosting pros just a phone call
>> > away.
>> > http://p.sf.net/sfu/theplanet-com
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>>
>>
>> Also, if the shared object rules didn't get activated there is some
>> more output from snort after the output you pasted that would be
>> useful.
>>
>> Make sure you dumped the shared object rule stubs into your SORULE_PATH.
>>
>>  # snort -c /snort/conf/snort.conf
>> --dump-dynamic-rules=/snort/conf/so_rules
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The Planet: dedicated and managed hosting, cloud storage, colocation
>> Stay online with enterprise data centers and the best network in the
>> business
>> Choose flexible plans and management services without long-term contracts
>> Personal 24x7 support from experience hosting pros just a phone call away.
>> http://p.sf.net/sfu/theplanet-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list