[Snort-users] flow:established still broken in 2.9.0.5?

Russ Combs rcombs at ...1935...
Wed Jun 29 17:33:52 EDT 2011


On Wed, Jun 29, 2011 at 4:57 PM, Jason Haar <Jason.Haar at ...294...>wrote:

> On 29/06/11 22:47, Joel Esler wrote:
> >
> > Are you dropping packets?  I am wondering that, because maybe Snort
> > tagged this as a midstream pickup or something.
> Nope. snort is running on the proxy server itself, eth0 shows no errors,
> and doing a "kill -USR1" shows
>
> Packet I/O Totals:
> :    Received:    661036928
> :    Analyzed:    661016939 ( 99.997%)
> :    Dropped:        19989 (  0.003%)
> :    Filtered:            0 (  0.000%)
> :    Outstanding:        19989 (  0.003%)
> :    Injected:            0
>
>
> (this is snort-2.9.0.5 under CentOS-5.6 with "pcap DAQ configured to
> passive")
>
> > Do you have a pcap?
> >
> I have a pcap of the single packet that triggered the event - but not
> the first packet of the TCP stream - so I don't think it means much. As
> it's HTTPS, I'll attach it
>
> >
> > As a rule writing note, "isset" flowbit checks generally should come
> > before content.  I have no idea what this rule does though, but I'd
> > want the flowbit check before the content in this case, as it's only a
> > two byte match.
> That's an EmergingThreat rule - but that shouldn't matter. snort
> shouldn't have matched on a "depth:2" half-way through a tcp stream?
>

depth:2 applies to the current packet (raw or reassembled).  It is not a
depth from beginning of stream.

>
> The Big Question is: what does snort do when it "starts" in the middle
> of a tcp stream? Does it ignore all "flow" related rules, or does it
> (erroneously IMO) treat the first packet it sees as the first packet of
> the stream? (your question about packet loss makes me think that is what
> is happening?)
>
> Thanks
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110629/b9f5d43e/attachment.html>


More information about the Snort-users mailing list