[Snort-users] Snort only partially alerting

Joel Esler jesler at ...1935...
Fri Jun 21 11:03:59 EDT 2013


Can you send me the pcap off list?

On Jun 21, 2013, at 11:01 AM, Frank Calone <fc10011001 at ...11827...> wrote:

> 1)   In my continuing efforts to figure out why Snort misses nearly all of the exe downloads I performed a TCPDUMP on the same interface to ensure the traffic is there that I am expecting to have Snort alert on.  Here is the latest.  I had TCPDUMP already installed on our Centos system and so I enabled packet capture with the following command:
>  
> tcpdump -i p1p1 -N -w tcpdump.jun20.v3.pcap src 15.8.5.18 or dst 15.8.5.18
>  
> 2)   I started snort as follows:
>  
> /usr/sbin/snort -A fast -d   -i  p1p1 -u snort -g snort -c /etc/snort/snort1.conf -l /var/log/snort2 -G 1
>  
> 3)   I then downloaded putty.exe from  www.chiark.greenend.org.uk.
>  
> 4)   I then aborted both TCPDUMP and SNORT.  I checked the alert file in /var/log/snort2   to see if an alert showed up.  No hits.
>  
> 5)   I ran the tcpdump.jun20.v3.pcap file thru snort as follows:
>  
> snort -dvr  tcpdump.jun20.v3.pcap > testtcpd.jun20.v3
>  
> 6)   I reviewed the file (testtcpd.jun20.v3) and found this entry showing the network tap indeed is working fine as the Snort "content" string search value (This program cannot be run in DOS mode) is plainly visible:
>  
> 06/20-13:47:35.769947 46.43.34.31:80 -> 15.8.5.18:56416 TCP TTL:50 TOS:0x0 ID:61603 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x3940EBD2  Ack: 0x51CD46B3  Win: 0x42  TcpLen: 20
> 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
> 0A 44 61 74 65 3A 20 54 68 75 2C 20 32 30 20 4A  .Date: Thu, 20 J
> 75 6E 20 32 30 31 33 20 31 37 3A 34 37 3A 33 35  un 2013 17:47:35
> 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70   GMT..Server: Ap
> 61 63 68 65 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66  ache..Last-Modif
> 69 65 64 3A 20 53 61 74 2C 20 31 30 20 44 65 63  ied: Sat, 10 Dec
> 20 32 30 31 31 20 31 33 3A 33 38 3A 33 37 20 47   2011 13:38:37 G
> 4D 54 0D 0A 45 54 61 67 3A 20 22 31 36 34 30 34  MT..ETag: "16404
> 30 37 2D 37 36 30 30 30 2D 34 62 33 62 64 30 34  07-76000-4b3bd04
> 63 34 33 31 34 30 22 0D 0A 41 63 63 65 70 74 2D  c43140"..Accept-
> 52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43  Ranges: bytes..C 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34  ontent-Length: 4
> 38 33 33 32 38 0D 0A 4B 65 65 70 2D 41 6C 69 76  83328..Keep-Aliv
> 65 3A 20 74 69 6D 65 6F 75 74 3D 31 35 2C 20 6D  e: timeout=15, m
> 61 78 3D 39 39 0D 0A 43 6F 6E 6E 65 63 74 69 6F  ax=99..Connectio 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43  n: Keep-Alive..C 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70  ontent-Type: app 6C 69 63 61 74 69 6F 6E 2F 78 2D 6D 73 64 6F 73  lication/x-msdos 2D 70 72 6F 67 72 61 6D 0D 0A 0D 0A 4D 5A 90 00  -program....MZ..
> 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00  ................
> 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00  .... at ...868...
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E  ................
> 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70  ....!..L.!This p
> 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65  rogram cannot be
> 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65   run in DOS mode
> 2E 0D 0D 0A 24 00 00 00 00 00 00 00 6D 1F 98 6B  ....$.......m..k
> 29 7E F6 38 29 7E F6 38 29 7E F6 38 3A 76 9F 38  )~.8)~.8)~.8:v.8 2B 7E F6 38 2C 72 96 38 2B 7E F6 38 2C 72 F9 38  +~.8,r.8+~.8,r.8
> 32 7E F6 38 3A 76 AB 38 2B 7E F6 38 D3 5D EF 38  2~.8:v.8+~.8.].8 2D 7E F6 38 AA 76 AB 38 38 7E F6 38 29 7E F7 38  -~.8.v.88~.8)~.8
> 04 7F F6 38 2C 72 A9 38 95 7E F6 38 C5 75 A8 38  ...8,r.8.~.8.u.8
> 28 7E F6 38 2C 72 AC 38 28 7E F6 38 52 69 63 68  (~.8,r.8(~.8Rich
> 29 7E F6 38 00 00 00 00 00 00 00 00 00 00 00 00  )~.8............
>  
> 7)   Here is the output when I aborted the Snort process (run in foreground)
>  
> Packet I/O Totals:
>    Received:      1278250
>    Analyzed:      1278244 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            6 (  0.000%)
>    Injected:            0
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>         Eth:      1281819 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:      1281734 ( 99.993%)
>        Frag:           58 (  0.005%)
>        ICMP:          901 (  0.070%)
>         UDP:        35748 (  2.789%)
>         TCP:       922437 ( 71.963%)
>         IP6:           32 (  0.002%)
>     IP6 Ext:           32 (  0.002%)
>    IP6 Opts:            0 (  0.000%)
>       Frag6:            0 (  0.000%)
>       ICMP6:           32 (  0.002%)
>        UDP6:            0 (  0.000%)
>        TCP6:            0 (  0.000%)
>      Teredo:            8 (  0.001%)
>     ICMP-IP:            0 (  0.000%)
>     IP4/IP4:            0 (  0.000%)
>     IP4/IP6:           24 (  0.002%)
>     IP6/IP4:            0 (  0.000%)
>     IP6/IP6:            0 (  0.000%)
>         GRE:            0 (  0.000%)
>     GRE Eth:            0 (  0.000%)
>    GRE VLAN:            0 (  0.000%)
>     GRE IP4:            0 (  0.000%)
>     GRE IP6:            0 (  0.000%)
> GRE IP6 Ext:            0 (  0.000%)
>    GRE PPTP:            0 (  0.000%)
>     GRE ARP:            0 (  0.000%)
>     GRE IPX:            0 (  0.000%)
>    GRE Loop:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:           18 (  0.001%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:       322566 ( 25.165%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
> All Discard:       322566 ( 25.165%)
>       Other:           67 (  0.005%)
> Bad Chk Sum:          326 (  0.025%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:         2314 (  0.181%)
>      S5 G 2:         1261 (  0.098%)
>       Total:      1281819
> ===============================================================================
> Action Stats:
>      Alerts:            0 (  0.000%)
>      Logged:            0 (  0.000%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:      1189531 ( 93.059%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:        88713 (  6.940%)
>   Blacklist:            0 (  0.000%)
>      Ignore:            0 (  0.000%)
> ===============================================================================
> Frag3 statistics:
>         Total Fragments: 58
>       Frags Reassembled: 0
>                Discards: 0
>           Memory Faults: 0
>                Timeouts: 0
>                Overlaps: 0
>               Anomalies: 0
>                  Alerts: 0
>                   Drops: 0
>      FragTrackers Added: 58
>     FragTrackers Dumped: 58
> FragTrackers Auto Freed: 0
>     Frag Nodes Inserted: 58
>      Frag Nodes Deleted: 58
> ===============================================================================
> Stream5 statistics:
>             Total sessions: 24790
>               TCP sessions: 19331
>               UDP sessions: 5459
>              ICMP sessions: 0
>                IP sessions: 0
>                 TCP Prunes: 0
>                 UDP Prunes: 0
>                ICMP Prunes: 0
>                  IP Prunes: 0
> TCP StreamTrackers Created: 19522
> TCP StreamTrackers Deleted: 19522
>               TCP Timeouts: 0
>               TCP Overlaps: 39
>        TCP Segments Queued: 115887
>      TCP Segments Released: 115887
>        TCP Rebuilt Packets: 39102
>          TCP Segments Used: 95388
>               TCP Discards: 262728
>                   TCP Gaps: 6707
>       UDP Sessions Created: 5459
>       UDP Sessions Deleted: 5459
>               UDP Timeouts: 0
>               UDP Discards: 0
>                     Events: 133590
>            Internal Events: 0
>            TCP Port Filter
>                    Dropped: 0
>                  Inspected: 0
>                    Tracked: 918536
>            UDP Port Filter
>                    Dropped: 0
>                  Inspected: 24930
>                    Tracked: 5459
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         172
>     GET methods:                          12647
>     HTTP Request Headers extracted:       12858
>     HTTP Request Cookies extracted:       6798
>     Post parameters extracted:            171
>     HTTP response Headers extracted:      9755
>     HTTP Response Cookies extracted:      1380
>     Unicode:                              247
>     Double unicode:                       0
>     Non-ASCII representable:              15
>     Directory traversals:                 0
>     Extra slashes ("//"):                 2237
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 1457
>     Gzip Compressed Data Processed:       3087532.00
>     Gzip Decompressed Data Processed:     9451498.00
>     Total packets processed:              377200
> ===============================================================================
> SMTP Preprocessor Statistics
>   Total sessions                                    : 28
>   Max concurrent sessions                           : 3
>   Base64 attachments decoded                        : 2
>   Total Base64 decoded bytes                        : 1676
>   Quoted-Printable attachments decoded              : 3
>   Total Quoted decoded bytes                        : 1133
>   UU attachments decoded                            : 0
>   Total UU decoded bytes                            : 0
>   Non-Encoded MIME attachments extracted            : 10
>   Total Non-Encoded MIME bytes extracted            : 2066
> ===============================================================================
> dcerpc2 Preprocessor Statistics
>   Total sessions: 300
>   Total sessions autodetected: 124
>   Total sessions aborted: 164
>  
>   Transports
>     SMB
>       Total sessions: 117
>       Packet stats
>         Packets: 218
>         Ignored bytes: 2635
>         Not NBSS Session Message: 2
>         Not IPC packets (after tree connect): 1
>         Maximum outstanding requests: 1
>         SMB command requests/responses processed
>           Negotiate (0x72) : 85/37
>           Session Setup AndX (0x73) : 2/2
>           Tree Connect AndX (0x75) : 1/1
>     TCP
>       Total sessions: 183
>       Packet stats
>         Packets: 2538
>  
>   DCE/RPC
>     Connection oriented
>       Packet stats
>         PDUs: 2538
>           Bind: 136
>           Bind Ack: 136
>           Alter context: 68
>           Alter context response: 68
>           Request: 1057
>           Response: 992
>           Auth3: 80
>           Orphaned: 1
>         Request fragments: 1
>           Min fragment size: 0
>           Max fragment size: 0
>           Frag reassembled: 0
>         Response fragments: 0
>         Client PDU segmented reassembled: 0
>         Server PDU segmented reassembled: 0 ===============================================================================
> SSL Preprocessor:
>    SSL packets decoded: 15811
>           Client Hello: 2833
>           Server Hello: 1528
>            Certificate: 393
>            Server Done: 5354
>    Client Key Exchange: 1601
>    Server Key Exchange: 117
>          Change Cipher: 5428
>               Finished: 0
>     Client Application: 3061
>     Server Application: 1645
>                  Alert: 622
>   Unrecognized records: 4780
>   Completed handshakes: 0
>         Bad handshakes: 0
>       Sessions ignored: 1642
>     Detection disabled: 301
> ===============================================================================
> SIP Preprocessor Statistics
>   Total sessions: 163
>   SIP anomalies : 11
>   Requests: 0
>           invite:   0
>           cancel:   0
>              ack:   0
>              bye:   0
>         register:   0
>          options:   0
>            refer:   0
>        subscribe:   0
>           update:   0
>             join:   0
>             info:   0
>          message:   0
>           notify:   0
>            prack:   0
>   Responses: 0
>              1xx:   0
>              2xx:   0
>              3xx:   0
>              4xx:   0
>              5xx:   0
>              6xx:   0
>              7xx:   0
>              8xx:   0
>              9xx:   0
> Ignore sessions:   0
> Ignore channels:   0
> ===============================================================================
> Reputation Preprocessor Statistics
>   Total Memory Allocated: 0
> ===============================================================================
> Snort exiting
>  
> 8)    Here is the rule that should have detected this.  I am only running 2 rules at this time.
>  
> alert tcp ![128.131.0.0/16] !20 -> $HOME_NET any (msg:"exe downloaded"; content:"This program cannot be run in DOS mode";  sid:1999998; rev:5;)
>  
> 9) I tried running snort in the full packet logger mode (/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h x.x.x.x/16).  I immediately started getting the following warning messages:
>  
> (snort_decoder) WARNING: IP dgm len > captured len
>  
> I then ran the binary capture thru the snort playback (-dvr option).  Looking at the packets tied to my PC, I can see that almost all of them have a datagram length of 40.  Very few packets showed up with a real payload, certainly not enough to amount to the size of the file I downloaded during the testing.  I'm not sure if there is a config setting or something else going wrong here such that very few packets have any real data.  Here is a sample of what I am seeing (the last two are in order they appeared in the dump file):
>  
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 06/18-16:20:19.229724 15.8.5.18:62287 -> 212.13.197.229:80
> TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x3279955A  Ack: 0xEF27E0F7  Win: 0x4029  TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>  
> 06/18-16:20:25.306989 212.13.197.229:80 -> 15. 8.5.18:62287
> TCP TTL:44 TOS:0x0 ID:43106 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0xEF27E0F7  Ack: 0x3279955B  Win: 0x5C  TcpLen: 20
>  
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>  
> 06/18-16:20:27.305825 212.13.197.229:80 -> 15.8.5.18:62285
> TCP TTL:44 TOS:0x0 ID:3711 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0x53804DD1  Ack: 0x77F4A813  Win: 0x5C  TcpLen: 20
>  
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>  
> 06/18-16:20:27.306281 15.8.5.18:62285 -> 212.13.197.229:80
> TCP TTL:127 TOS:0x0 ID:9849 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x77F4A813  Ack: 0x53804DD2  Win: 0x4029  TcpLen: 20
>  
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>  
> 06/18-16:20:34.312205 212.13.197.229:80 -> 15.8.5.18:62286
> TCP TTL:44 TOS:0x0 ID:50990 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0x3FC527C5  Ack: 0xCF59BF2B  Win: 0x83  TcpLen: 20
>  
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>  
> I'm looking for suggestions on what is broken or what to try next to get this resolved.  Our server is Centos  
> (2.6.32-358.6.2.el6.x86_64) with 4 GB memory.  I set the stream5 memcap to 1 GB (1073741824), maxtcp 393216 in the config file.  Perfmon shows 90% CPU avail and max memory used at any point of 250 MB.  Snort Build shows the following:
>   ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4.5 GRE (Build 71)
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>  
> Frank
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130621/e804084e/attachment.html>


More information about the Snort-users mailing list