[Snort-users] Snort not logging all alerts in pcap (was Oddness with 16295)

rmkml rmkml at ...1855...
Sat Nov 13 07:25:45 EST 2010


Hi James,
It's perfect, what's pb?
If I remember correctly, snort write only one packet on pcap file for one alert... (not stream reassembly)
What snort version you use?
Maybe snort "drop" packet? read your log for stat packets or send 'kill -USR1 snort_pid'...
Regards
Rmkml


On Thu, 11 Nov 2010, Lay, James wrote:

> 
> OK so now I’m sure there’s an issue.  Below are more examples…everything is fine until alert timestamps 11/11-10:38:38.577756 and 11/11-10:38:38.818757…they are
> simply not there in the corresponding pcap file.  My settings are as follows:
> 
>  
> 
> output alert_fast: internetalert.fast
> 
> output log_tcpdump: internettcpdump.pcap
> 
>  
> 
> Any reason some packets aren’t getting logged in the pcap file?  Any pointers would be excellent.
> 
>  
> 
> James 
> 
>  
> 
> [10:45:48 jlay at ...15049...:~/log$] sudo tail -n 20 internetalert.fast
> 
> 11/11-10:26:15.284212  [**] [1:2008418:4] ET POLICY Metasploit Framework Update [**] [Classification: Misc activity] [Priority: 3] {TCP} 216.75.1.230:443 ->
> 10.21.0.9:53302
> 
> 11/11-10:27:41.141234  [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP}
> 68.142.93.133:80 -> 10.21.0.16:62912
> 
> 11/11-10:27:58.026044  [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: Misc Attack] [Priority: 2] {TCP}
> 10.21.0.16:62962 -> 85.17.84.214:80
> 
> 11/11-10:30:04.970609  [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 199.7.50.72:80
> 
> 11/11-10:30:36.362238  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity]
> [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388
> 
> 11/11-10:30:44.274148  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity]
> [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427
> 
> 11/11-10:32:33.810911  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity]
> [Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450
> 
> 11/11-10:34:04.413890  [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 173.204.52.197:80
> 
> 11/11-10:35:42.820754  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity]
> [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404
> 
> 11/11-10:35:49.670676  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity]
> [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432
> 
> 11/11-10:38:00.626191  [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: Misc Attack] [Priority: 2] {TCP}
> 10.21.0.16:64881 -> 85.17.84.212:80
> 
> 11/11-10:38:38.577756  [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt [**] [Classification:
> Attempted Denial of Service] [Priority: 2] {TCP} 96.6.2.125:80 -> 10.21.0.16:64991
> 
> 11/11-10:38:38.818757  [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt [**] [Classification:
> Attempted Denial of Service] [Priority: 2] {TCP} 72.246.94.34:80 -> 10.21.0.16:64835
> 
> 11/11-10:38:46.511664  [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
> 10.21.0.16:65098 -> 66.220.146.32:80
> 
> 11/11-10:40:49.997265  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity]
> [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181
> 
> 11/11-10:40:57.546175  [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP}
> 207.171.185.196:80 -> 10.21.0.16:1281
> 
> 11/11-10:41:42.069675  [**] [1:648:10] SHELLCODE x86 NOOP [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 207.171.185.196:80 ->
> 10.21.0.16:1493
> 
> 11/11-10:43:16.912596  [**] [1:5713:3] WEB-CLIENT Windows Metafile invalid header size integer overflow [**] [Classification: Attempted Administrator Privilege
> Gain] [Priority: 1] {TCP} 65.55.69.143:80 -> 10.21.0.16:1491
> 
> 11/11-10:45:35.275018  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity]
> [Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634
> 
>  
> 
> From pcap file:
> 
> 10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack 1538376874, win 46, options [nop,nop,TS val 285059531 ecr 843329], length 1388
> 
> 10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack 3472428307, win 65535, length 1400
> 
> 10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq 3387361148, win 65535, options [mss 1460,nop,nop,sackOK], length 0
> 
> 10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack 1095737173, win 65535, length 20
> 
> 10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack 2060485191, win 7504, length 1400
> 
> 10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack 1404174044, win 7066, length 1400
> 
> 10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.], ack 2592865250, win 1023, length 1380
> 
> 10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.], ack 87661050, win 65535, length 12
> 
> 10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack 706084536, win 7504, length 1400
> 
> 10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack 3592031382, win 7066, length 1400
> 
> 10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq 2705613011, win 65535, options [mss 1460,nop,nop,sackOK], length 0
> 
> 10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack 2665905014, win 13936, length 1400
> 
> 10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack 237172578, win 65535, length 1380
> 
> 10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack 1349174870, win 49664, length 1380
> 
> 10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack 1907873745, win 13425, length 1400
> 
> 10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack 1374951746, win 7504, length 1400
> 
>  
> 
>  
> 
> From: Lay, James [mailto:james.lay at ...15009...]
> Sent: Thursday, November 11, 2010 10:43 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Oddness with 16295
> 
>  
> 
> Bump…no takers on this?
> 
>  
> 
> From: Lay, James [mailto:james.lay at ...15009...]
> Sent: Wednesday, November 10, 2010 10:52 AM
> To: snort-users at lists.sourceforge.net
> Subject: Oddness with 16295
> 
>  
> 
> So this is weird….looking at this hit:
> 
>  
> 
> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted
> User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385
> 
>  
> 
> Fairly certain it’s an fp, but…when I hit the pcap dump file, it doesn’t show….here’s consecutive hits in the alert file:
> 
>  
> 
> 11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 67.23.129.249:80 -> 10.21.0.16:64185
> 
> 11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 67.23.129.249:80 -> 10.21.0.16:64185
> 
> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted
> User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385
> 
> 11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80
> 
>  
> 
> And from the pcapfile:
> 
> sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395
> 
> 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1081895485, win 4789, length 1400
> 
> 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1, win 4789, length 1400
> 
> 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack 2261207081, win 65535, length 536
> 
>  
> 
> So where did 16295 go?  A quick check for that IP gives nothing:
> 
> [10:48:24 jlay at ...15049...:~/log$] sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 ip and host 204.11.109.23
> 
> reading from file internettcpdump.pcap.1289401395, link-type EN10MB (Ethernet)
> 
> [10:50:21 jlay at ...15049...:~/log$]
> 
>  
> 
> James Lay
> 
> IT Security Analyst
> 
> WinCo Foods
> 
> 208-672-2014 Office
> 
> 208-559-1855 Cell
> 
> 650 N Armstrong Pl.
> 
> Boise, Idaho 83704
> 
>  
> 
> 
>


More information about the Snort-users mailing list