[Snort-users] [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

Balasubramaniam Natarajan bala150985 at ...11827...
Wed May 30 02:56:52 EDT 2012


Here it is
root at ...15662...:/home/bala# grep http_inspect /etc/snort.conf
# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \


On Mon, May 21, 2012 at 7:43 PM, Russ Combs <rcombs at ...1935...> wrote:

> The eth1 data looks like it is much further into the packet than the eth0
> data, so check your http_inspect flow depths.
>
> On Mon, May 21, 2012 at 3:30 AM, Balasubramaniam Natarajan <
> bala150985 at ...11827...> wrote:
>
>> I also tried giving an additional option of "-P 0" while invoking snort
>> still no result.
>>
>> On Mon, May 21, 2012 at 3:03 AM, Balasubramaniam Natarajan <
>> bala150985 at ...11827...> wrote:
>>
>>> There was an error in my previous link, this is the correct one which
>>> shows Test2 and Test3 results.
>>>
>>> http://img207.imageshack.us/img207/4480/snortproxy.jpg
>>>
>>>
>>> On Mon, May 21, 2012 at 12:58 AM, Balasubramaniam Natarajan <
>>> bala150985 at ...11827...> wrote:
>>>
>>>> Hi
>>>>
>>>> I made some more test and I confirm that something is going wrong if I
>>>> have proxy on, on my clients snort is missing some alerts.
>>>>
>>>> *BaseLine without Proxy
>>>> *When I did not use a webproxy for the client and when I accessed a
>>>> page where in username and password would be submitted over clear text
>>>> snort would throw up this alert
>>>> "ET POLICY Http Client Body contains pass= in cleartext".
>>>>
>>>> *Test1: (Running Wireshark On client)
>>>> *I ran wireshark locally on the client and tried to access the same
>>>> page where in username and password would be submitted over clear text
>>>> snort did not throw the alert like previously though I am able to see my
>>>> username and password on the pcap
>>>>
>>>> *Test2: (Running tcpdump On snort #tcpdump -vv -i eth0 -w eth0.pcap **-s
>>>> 0**)
>>>> *I ran tcpdump on the eth0 interface of snort and tried to access the
>>>> same page where in username and password would be submitted over clear text
>>>> snort did not throw the alert though I am able to see my username and
>>>> password on the pcap
>>>>
>>>> *Test3: (Running tcpdump On snort #tcpdump -vv -i eth1 -w eth1.pcap**-s 0
>>>> **)
>>>> *I ran tcpdump on the eth1 interface of snort and tried to access the
>>>> same page where in username and password would be submitted over clear text
>>>> snort did not throw the alert though I am able to see my username and
>>>> password on the pcap
>>>>
>>>> Attaching screen shot of Test2 and Test3.
>>>>
>>>> http://img207.imageshack.us/img207/4480/snortproxy.jpg
>>>>
>>>> *Note:  *I had to add the additional switch of "-s 0" to tcpdump as I
>>>> was getting this error "[Packet size limited during capture: HTTP
>>>> truncated]".  I am not sure if snort is sharing the same fate of tcpdump
>>>> and I am not sure how to add the additional switch of "-s 0" to the running
>>>> instance of snort.
>>>>
>>>> @Joel, thanks for showing the right group to address this question to
>>>> and I did not see any incorrect appearing on the pcap.
>>>>
>>>>
>>>> On Sun, May 20, 2012 at 8:56 PM, Joel Esler <jesler at ...1935...>wrote:
>>>>
>>>>> Probably a better question for the Snort-users mailing list. But yes,
>>>>> the ips may show up differently (for instance the source ip may be that of
>>>>> the proxy).
>>>>>
>>>>> Maybe some checksum errors in there?
>>>>>
>>>>> Do a tcpdump on the interface with the -vv options and see if
>>>>> "incorrect" shows up in the dump.
>>>>>
>>>>> --
>>>>> Joel Esler
>>>>>
>>>>> On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <
>>>>> bala150985 at ...11827...> wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> Should there be any difference with Snort alerts if the internal
>>>>> client are using a webproxy as oppose to those which are not ?   I am
>>>>> asking this because I see remarkable difference between the two.
>>>>>
>>>>>
>>>>> *Initial Configuration without Squid WebProxy
>>>>> *
>>>>> Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort
>>>>> (eth0) ----> Internet
>>>>>
>>>>> Snort was running on eth1 and it logged lots of alerts
>>>>>
>>>>>
>>>>> *Present Configuration with Squid WebProxy*
>>>>>
>>>>> Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1)
>>>>> Snort (eth0) ------> Internet
>>>>>
>>>>> Now Snort is running on eth0 interface and the number of alerts which
>>>>> are logged are way too less.  I guess some alerts are somehow missed.
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Balasubramaniam Natarajan
>>>>> www.etutorshop.com/moodle/
>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at ...15591...
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>>> http://www.emergingthreatspro.com
>>>>> The ONLY place to get complete premium rulesets for Snort 2.4.0
>>>>> through Current!
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Balasubramaniam Natarajan
>>>> www.etutorshop.com/moodle/
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Balasubramaniam Natarajan
>>> www.etutorshop.com/moodle/
>>>
>>>
>>
>>
>> --
>> Regards,
>> Balasubramaniam Natarajan
>> www.etutorshop.com/moodle/
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>


-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120530/07be1388/attachment.html>


More information about the Snort-users mailing list