[Snort-users] [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

Russ Combs rcombs at ...1935...
Mon May 21 10:13:20 EDT 2012


The eth1 data looks like it is much further into the packet than the eth0
data, so check your http_inspect flow depths.

On Mon, May 21, 2012 at 3:30 AM, Balasubramaniam Natarajan <
bala150985 at ...11827...> wrote:

> I also tried giving an additional option of "-P 0" while invoking snort
> still no result.
>
> On Mon, May 21, 2012 at 3:03 AM, Balasubramaniam Natarajan <
> bala150985 at ...11827...> wrote:
>
>> There was an error in my previous link, this is the correct one which
>> shows Test2 and Test3 results.
>>
>> http://img207.imageshack.us/img207/4480/snortproxy.jpg
>>
>>
>> On Mon, May 21, 2012 at 12:58 AM, Balasubramaniam Natarajan <
>> bala150985 at ...11827...> wrote:
>>
>>> Hi
>>>
>>> I made some more test and I confirm that something is going wrong if I
>>> have proxy on, on my clients snort is missing some alerts.
>>>
>>> *BaseLine without Proxy
>>> *When I did not use a webproxy for the client and when I accessed a
>>> page where in username and password would be submitted over clear text
>>> snort would throw up this alert
>>> "ET POLICY Http Client Body contains pass= in cleartext".
>>>
>>> *Test1: (Running Wireshark On client)
>>> *I ran wireshark locally on the client and tried to access the same
>>> page where in username and password would be submitted over clear text
>>> snort did not throw the alert like previously though I am able to see my
>>> username and password on the pcap
>>>
>>> *Test2: (Running tcpdump On snort #tcpdump -vv -i eth0 -w eth0.pcap **-s
>>> 0**)
>>> *I ran tcpdump on the eth0 interface of snort and tried to access the
>>> same page where in username and password would be submitted over clear text
>>> snort did not throw the alert though I am able to see my username and
>>> password on the pcap
>>>
>>> *Test3: (Running tcpdump On snort #tcpdump -vv -i eth1 -w eth1.pcap**-s 0
>>> **)
>>> *I ran tcpdump on the eth1 interface of snort and tried to access the
>>> same page where in username and password would be submitted over clear text
>>> snort did not throw the alert though I am able to see my username and
>>> password on the pcap
>>>
>>> Attaching screen shot of Test2 and Test3.
>>>
>>> http://img207.imageshack.us/img207/4480/snortproxy.jpg
>>>
>>> *Note:  *I had to add the additional switch of "-s 0" to tcpdump as I
>>> was getting this error "[Packet size limited during capture: HTTP
>>> truncated]".  I am not sure if snort is sharing the same fate of tcpdump
>>> and I am not sure how to add the additional switch of "-s 0" to the running
>>> instance of snort.
>>>
>>> @Joel, thanks for showing the right group to address this question to
>>> and I did not see any incorrect appearing on the pcap.
>>>
>>>
>>> On Sun, May 20, 2012 at 8:56 PM, Joel Esler <jesler at ...1935...>wrote:
>>>
>>>> Probably a better question for the Snort-users mailing list. But yes,
>>>> the ips may show up differently (for instance the source ip may be that of
>>>> the proxy).
>>>>
>>>> Maybe some checksum errors in there?
>>>>
>>>> Do a tcpdump on the interface with the -vv options and see if
>>>> "incorrect" shows up in the dump.
>>>>
>>>> --
>>>> Joel Esler
>>>>
>>>> On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <
>>>> bala150985 at ...11827...> wrote:
>>>>
>>>> Hi
>>>>
>>>> Should there be any difference with Snort alerts if the internal client
>>>> are using a webproxy as oppose to those which are not ?   I am asking this
>>>> because I see remarkable difference between the two.
>>>>
>>>>
>>>> *Initial Configuration without Squid WebProxy
>>>> *
>>>> Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort
>>>> (eth0) ----> Internet
>>>>
>>>> Snort was running on eth1 and it logged lots of alerts
>>>>
>>>>
>>>> *Present Configuration with Squid WebProxy*
>>>>
>>>> Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1) Snort
>>>> (eth0) ------> Internet
>>>>
>>>> Now Snort is running on eth0 interface and the number of alerts which
>>>> are logged are way too less.  I guess some alerts are somehow missed.
>>>>
>>>> --
>>>> Regards,
>>>> Balasubramaniam Natarajan
>>>> www.etutorshop.com/moodle/
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at ...15591...
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreatspro.com
>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>>> Current!
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Balasubramaniam Natarajan
>>> www.etutorshop.com/moodle/
>>>
>>>
>>
>>
>> --
>> Regards,
>> Balasubramaniam Natarajan
>> www.etutorshop.com/moodle/
>>
>>
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120521/8b23f3bb/attachment.html>


More information about the Snort-users mailing list