[Snort-users] perfmonitor pre-processor issues

Daniel Shepherd shepdelacreme at ...11827...
Thu Sep 30 20:50:28 EDT 2010


I can't provide pcaps unfortunately. The conf file was mostly the default 2.9.0 file. The only changes I had made were to define HOME_NET, EXTERNAL_NET, and some of the various DNS,SMTP, etc variables. As well as to enable the various rules files.

I've investigated a bit further and I don't think the feed I've been given from the network team is sane. It appears to be oversubscribed...and I'm not sure the span is setup properly in that I'm seeing the same packet multiple times. I'm going to have to try and get a decent feed from the network team and go from there.

What they say is true...garbage in...garbage out.


On Sep 30, 2010, at 5:48 PM, Joel Esler wrote:

> Is there anyway you can provide a snort.conf and a pcap of your
> network traffic to me privately?
> Something doesn't sound right.
> J
> On Thursday, September 30, 2010, Daniel Shepherd
> <shepdelacreme at ...11827...> wrote:
>> I am currently running 2.9.0 and am having a lot of preprocessor
>> issues. Alerts for http, stream5, and frag3 needed to be turned off
>> completely because the number of alerts was crushing the machine. The
>> largest offender by far was stream5 with alerts about excessive fragment
>> and "timestamp outside PAWS window". The
>> frag3 engine was giving similar fragmentation alerts. With alerting
>> turned off for those three pp’s I’m down to the smtp and dcerpc2 pp’s
>> sending excessive false positive alerts.
>> smtp – attempted command buffer overflow: more than 512 chars
>> smtp – attempted header name buffer overflow: ### chars before colon
>> I call the two above false positive because when looking at the
>> provided payload it appears that the preprocessor is alerting on data in
>> the body of the smtp message. I thought that putting the ignore_data
>> parameter in snort.conf for the smtp pp would stop this but it hasn’t.
>> dcerpc2 – Connection-oriented DCE/RPC – Invalid major version: ###
>> This is supposed to alert when a dcerpc connection is made and the
>> major version is anything but 5 according to the documentation. When I
>> download the payload in pcap format and view it with Wireshark the major
>> version is always correctly identified as 5 though.
>> I’m not sure where the problem lies, traffic, hardware, config, etc
>> but has anyone dealt with this before? I’d rather not turn off the pp
>> alerts completely but that is kind of where I’m at…is that what most
>> people do with the preprocessors?

More information about the Snort-users mailing list