[Snort-users] [Emerging-Sigs] FP on 2012886 but I don't see how

Joel Esler jesler at ...1935...
Thu Aug 4 13:13:19 EDT 2011


I am wondering if Barnyard2 is logging the first packet, but not the tagged packet.

Can you use u2spewfoo that we include with Snort to look inside your unified2 file and find out if it's there.

<It's morning in Vegas and I'm not really awake yet.>

J

On Aug 4, 2011, at 12:56 PM, Weir, Jason wrote:

> Not really sure how to answer that..
> 
> Unified2 -> barnyard2 -> mysql -> base?
> 
> -J
> 
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler at ...1935...] 
>> Sent: Thursday, August 04, 2011 12:53 PM
>> To: Weir, Jason
>> Cc: Emerging Sigs
>> Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how
>> 
>> 
>> How are you logging?
>> 
>> Sent from my iPhone
>> 
>> On Aug 3, 2011, at 13:05, "Weir, Jason" <jason.weir at ...14916...> wrote:
>> 
>>> I think you were clear - my understanding not so much..  
>> You'd think it
>>> would log the packet it alerts on...  Joel, is there a 
>> reason for this?
>>> 
>>> Thanks!
>>> -J
>>> 
>>>> -----Original Message-----
>>>> From: rmkml [mailto:rmkml at ...953...] 
>>>> Sent: Wednesday, August 03, 2011 4:03 PM
>>>> To: Weir, Jason
>>>> Cc: Emerging Sigs; rmkml at ...953...
>>>> Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how
>>>> 
>>>> 
>>>> Hi Jason,
>>>> Snort match on "first" payload packet and alert+write on pcap 
>>>> (because you use http_*,
>>>> unfortunately, your content searching (passwd) are on 
>>>> "second" payload packet...
>>>> sorry if Im not clear.
>>>> Regards
>>>> Rmkml
>>>> 
>>>> 
>>>> 
>>>> On Wed, 3 Aug 2011, Weir, Jason wrote:
>>>> 
>>>>> Yes - but it looks like it alerted on packet 1 from your 
>>>> example - there
>>>>> is no passwd= in packet 1...  Am I missing something in your
>>>>> explanation?
>>>>> 
>>>>> -J
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: rmkml [mailto:rmkml at ...953...]
>>>>>> Sent: Wednesday, August 03, 2011 3:51 PM
>>>>>> To: Weir, Jason
>>>>>> Cc: Emerging Sigs; rmkml at ...953...
>>>>>> Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how
>>>>>> 
>>>>>> 
>>>>>> Hi,
>>>>>> Excuse me, but what the pb? snort record only one packet by
>>>>>> alert, and http request allow spliting uri on "first" payload
>>>>>> packet and argument/value in "second" payload packet like
>>>>>> this for example:
>>>>>> 1: POST /api/login/platintanium HTTP/1.1
>>>>>>   ....
>>>>>> 2: a=b&passwd=example
>>>>>> Regards
>>>>>> Rmkml
>>>>>> 
>>>>>> 
>>>>>> On Wed, 3 Aug 2011, Joel Esler wrote:
>>>>>> 
>>>>>>> Yes, please review the Snort.conf in the VRT rulepack as it
>>>>>> has our recommended default settings.
>>>>>>> 
>>>>>>> When we put out a new rulepack and I announce it on
>>>>>> http://blog.snort.org, I have a line in there that states if
>>>>>> we have made any changes to the Snort.conf with the rulepack.
>>>>>> We've haven't done one in awhile.
>>>>>>> 
>>>>>>> J
>>>>>>> 
>>>>>>> On Aug 3, 2011, at 3:05 PM, Weir, Jason wrote:
>>>>>>> 
>>>>>>>> I see the manual has 262144 as the default, I'll start
>>>>>> there...  Manual
>>>>>>>> doesn't specify what gets used if option isn't set... As I
>>>>>> don't have
>>>>>>>> max_udp set...
>>>>>>>> 
>>>>>>>> -J
>>>>>>>> 
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: emerging-sigs-bounces at ...14333...
>>>>>>>>> [mailto:emerging-sigs-bounces at ...14333...] On Behalf
>>>>>>>>> Of Weir, Jason
>>>>>>>>> Sent: Wednesday, August 03, 2011 2:56 PM
>>>>>>>>> To: Emerging Sigs
>>>>>>>>> Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Joel,
>>>>>>>>> 
>>>>>>>>> What would you recommend looks like I'm @ 8192 currently..
>>>>>>>>> 
>>>>>>>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes,
>>>>>>>>> track_udp yes,
>>>>>>>>> track_icmp no max_active_responses 2 min_response_seconds 5
>>>>>>>>> 
>>>>>>>>> -J
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Joel Esler [mailto:jesler at ...1935...]
>>>>>>>>>> Sent: Wednesday, August 03, 2011 2:52 PM
>>>>>>>>>> To: Weir, Jason
>>>>>>>>>> Cc: Emerging Sigs
>>>>>>>>>> Subject: Re: [Emerging-Sigs] FP on 2012886 but I 
>> don't see how
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Can you increase your max sessions in stream5?  It looks like
>>>>>>>>>> you are maxed out.
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> Sent from my iPad
>>>>>>>>>> Please excuse the brevity
>>>>>>>>>> 
>>>>>>>>>> On Aug 3, 2011, at 2:45 PM, "Weir, Jason"
>>>>>>>>> <jason.weir at ...14916...> wrote:
>>>>>>>>>> 
>>>>>>>>>>> Debian\Snort 2.9.0.5
>>>>>>>>>>> 
>>>>>>>>>>> I don't think it's load related...
>>>>>>>>>>> 
>>>>>>>>>>> %CPU   PID USER     COMMAND
>>>>>>>>>>> 8.4 15845 snort    /usr/local/bin/snort -q -u snort 
>>>> -g snort -c
>>>>>>>>>>> /etc/snort/snort.conf -i eth1
>>>>>>>>>>> 1.3 15846 root     /usr/local/bin/barnyard2 -q -c
>>>>>>>>>>> /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
>>>>>>>>>> blah blah blah
>>>>>>>>>>> 
>>>>>>>>>>> Output from snort perf monitor - consistently less than
>>>>>>>>> .05% packet
>>>>>>>>>>> loss, doesn't seem excessive to me, unless the switch
>>>>>> is dropping
>>>>>>>>>>> packets before they get to the sensor..
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>> 
>> 1312388143,0.042,11.997,0.007,3.416,438,80.928,5.236,5.096,5.6
>>>>>>>>>> 12,3.737,1
>>>>>>>>>>> 
>>>>>>>>>> 
>> 690,1738,213.762,0,293,0.021,0.003,0.003,0.003,0.000,0.003,16,
>>>>>>>>>> 16,0,0,1,7
>>>>>>>>>>> 
>>>>>>>>>> 
>> .715,0.612,91.672,11.997,0.000,0.000,0.700,12.697,438,452,1474
>>>>>>>>>> ,409,437,3
>>>>>>>>>>> 
>>>>>>>>>> 
>> .416,0.000,0.000,0.214,3.630,3077133,1295,0,4.448,0.134,3885,3
>>>>>>>>>> 885,1738,2
>>>>>>>>>>> 
>>>>>> 
>> 10,400,1095,0.414,3.658,0.325,0.000,0.000,0,0,0.000,0,0.000,0,0,0,
>>>>>>>>>>> 
>>>>>>>>>>> -J
>>>>>>>>>>> 
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>>> From: Matthew Jonkman 
>> [mailto:jonkman at ...15020...]
>>>>>>>>>>>> Sent: Wednesday, August 03, 2011 2:33 PM
>>>>>>>>>>>> To: Weir, Jason
>>>>>>>>>>>> Cc: Emerging Sigs
>>>>>>>>>>>> Subject: Re: [Emerging-Sigs] FP on 2012886 but I 
>>>> don't see how
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> That ain't right...
>>>>>>>>>>>> 
>>>>>>>>>>>> Which engine/version/platform?
>>>>>>>>>>>> 
>>>>>>>>>>>> Overloaded? Any significant packet dropping going on?
>>>>>>>>>>>> 
>>>>>>>>>>>> Matt
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On Aug 3, 2011, at 2:16 PM, Weir, Jason wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>>>>>>>>> (msg:"ET POLICY
>>>>>>>>>>>>> Http Client Body contains passwd= in cleartext";
>>>>>>>>>>>>> flow:established,to_server; content:"passwd="; nocase;
>>>>>>>>>>>> http_client_body;
>>>>>>>>>>>>> classtype:policy-violation; sid:2012886; rev:1;)
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Triped on this
>>>>>>>>>>>>> 
>>>>>>>>>>>>> POST /api/login/platintanium HTTP/1.1
>>>>>>>>>>>>> Host: www.reddit.com
>>>>>>>>>>>>> Connection: keep-alive
>>>>>>>>>>>>> Referer: http://www.reddit.com/
>>>>>>>>>>>>> Content-Length: 83
>>>>>>>>>>>>> Origin: http://www.reddit.com
>>>>>>>>>>>>> X-Requested-With: XMLHttpRequest
>>>>>>>>>>>>> User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1
>>>>>>>>>>>> (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1
>>>>>>>>>>>>> Content-Type: application/x-www-form-urlencoded
>>>>>>>>>>>>> Accept: application/json, text/javascript, */*; q=0.01
>>>>>>>>>>>>> Accept-Encoding: gzip,deflate,sdch
>>>>>>>>>>>>> Accept-Language: en-US,en;q=0.8
>>>>>>>>>>>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>>>>>>>>>>>>> Cookie:
>>>>>> __utma=55650728.1511640242.1305205532.1310644711.1310647724.19
>>>>>> ;
>>>>>> __utmz=55650728.1305205532.1.1.utmcsr=(direct)|utmccn=(direct)
>>>>>> |utmcmd=(none); _recentclicks2=t3_j7ryz%2C; _last_thing=;
>>>>>> reddit_first=%7B%22organic_pos%22%3A%2057%2C%20%22firsttime%22
>>>>>> %3A%20%22first%22%7D
>>>>>>>>>>>>> -J
> 
> 
> _____________________________________________________________________________________________
> 
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...14333...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!





More information about the Snort-users mailing list