[Snort-users] Snort only partially alerting

Frank Calone fc10011001 at ...11827...
Fri Jun 21 16:08:45 EDT 2013


Joel,
   I have already tried running Snort using the "-k none" option as was
recommended earlier this week.  I still got no alerts.  I tried testing an
exe download and had snort in full packet capture mode.  I looked at the
packets after doing a -dvr just for my PC and there simply is little there
that looks at all like what the TCPDUMP process captured (virtually no
payloads like you see in the pcap file).  would the Checksum problem
explain all the discards you noted?  The "bad chk sum" from the statistics
showed just 326 events for .025%.  That number to me looks very small then
as it is not even 1%.  If you want me to rerun with -k none option again, I
will do that.  Should I do any kind of other logging at the same time or
use other options to help diagnose?

Frank.

On Fri, Jun 21, 2013 at 3:19 PM, Joel Esler <jesler at ...1935...> wrote:

>   On Jun 21, 2013, at 11:04 AM, Joel Esler <jesler at ...1935...> wrote:
>
>  On Jun 21, 2013, at 11:01 AM, Frank Calone <fc10011001 at ...11827...> wrote:
>
>  All Discard:       322566 ( 25.165%)
>       Other:           67 (  0.005%)
> Bad Chk Sum:          326 (  0.025%)
>
>
> I'm asking for the pcap, as this concerns me.
>
>
> Frank, I took a look at the pcap you sent me and these are the alerts I
> received when I ran the pcap:
>
>  06/20-13:47:35.353332  [**] [1:16425:15] FILE-IDENTIFY Portable
> Executable binary file download request [**] [Classification: Misc
> activity] [Priority: 3] {TCP}
> 06/20-13:47:35.560161  [**] [1:16425:15] FILE-IDENTIFY Portable Executable
> binary file download request [**] [Classification: Misc activity]
> [Priority: 3] {TCP}
> 06/20-13:47:35.769947  [**] [1:25514:1] FILE-IDENTIFY Portable Executable
> download detected [**] [Classification: Misc activity] [Priority: 3] {TCP}
> 06/20-13:47:35.769947  [**] [1:25515:1] FILE-IDENTIFY Portable Executable
> binary file magic detected [**] [Classification: Misc activity] [Priority:
> 3] {TCP}
>
> My Snort.conf can be found here:
> http://www.snort.org/vrt/snort-conf-configurations/
>
> *I stripped off the IPs at the end*
>
> So when I looked at the pcap I noticed there were a ton of *incorrect*checksums (
> *the cut at the end of the statement is intended to strip out IPs)*:
>
> $ tcpdump -r tcpdump.jun20.v3.pcap -vv | grep incorrect | cut -f2 -d:
>
>   Flags [.], cksum 0x44cd (incorrect -> 0x0172), seq 3485
>  Flags [.], cksum 0x44cd (incorrect -> 0x104b), seq 19545
>  Flags [P.], cksum 0x44cd (incorrect -> 0xc4e0), seq 38525
>  Flags [.], cksum 0x4a81 (incorrect -> 0xa44d), seq 41445
>  Flags [.], cksum 0x44cd (incorrect -> 0xf3a2), seq 45825
>  Flags [.], cksum 0x5035 (incorrect -> 0x647f), seq 48745
>  Flags [.], cksum 0x4a81 (incorrect -> 0x0ee7), seq 56045
>  Flags [.], cksum 0x44cd (incorrect -> 0xf978), seq 64805
>  Flags [.], cksum 0x4a81 (incorrect -> 0x050f), seq 79405
>  Flags [.], cksum 0x44cd (incorrect -> 0x2969), seq 83785
>  Flags [.], cksum 0x44cd (incorrect -> 0x25d5), seq 92545
>  Flags [.], cksum 0x4a81 (incorrect -> 0x2962), seq 95465
>  Flags [.], cksum 0x44cd (incorrect -> 0x001d), seq 129045
>  Flags [.], cksum 0x44cd (incorrect -> 0x8619), seq 148025
>  Flags [.], cksum 0x44cd (incorrect -> 0xc65d), seq 152405
>  Flags [.], cksum 0x4a81 (incorrect -> 0x0fc3), seq 174305
>  Flags [.], cksum 0x44cd (incorrect -> 0x9a82), seq 180145
>  Flags [.], cksum 0x44cd (incorrect -> 0x4cac), seq 183065
>  Flags [.], cksum 0x44cd (incorrect -> 0x3fdf), seq 193285
>  Flags [.], cksum 0x44cd (incorrect -> 0x31a0), seq 197665
>  Flags [.], cksum 0x44cd (incorrect -> 0xc5d8), seq 216645
>  Flags [.], cksum 0x4a81 (incorrect -> 0x0fa6), seq 223945
>  Flags [.], cksum 0x44cd (incorrect -> 0xf8f4), seq 240005
>  Flags [.], cksum 0x44cd (incorrect -> 0xe1ca), seq 261905
>  Flags [.], cksum 0x44cd (incorrect -> 0xf3d0), seq 269205
>  Flags [.], cksum 0x44cd (incorrect -> 0xdcb6), seq 272125
>  Flags [.], cksum 0x4a81 (incorrect -> 0x3841), seq 279425
>  Flags [P.], cksum 0x44cd (incorrect -> 0x2c66), seq 283805
>  Flags [.], cksum 0x44cd (incorrect -> 0x007f), seq 291105
>  Flags [.], cksum 0x44cd (incorrect -> 0x73ea), seq 302785
>  Flags [.], cksum 0x44cd (incorrect -> 0xcb65), seq 305705
>  Flags [.], cksum 0x44cd (incorrect -> 0xc839), seq 310085
>  Flags [.], cksum 0x44cd (incorrect -> 0x2080), seq 323225
>  Flags [.], cksum 0x44cd (incorrect -> 0x4970), seq 327605
>  Flags [.], cksum 0x44cd (incorrect -> 0x2909), seq 331985
>  Flags [.], cksum 0x4a81 (incorrect -> 0xff42), seq 339285
>  Flags [.], cksum 0x4a81 (incorrect -> 0xdc3d), seq 343665
>  Flags [.], cksum 0x44cd (incorrect -> 0x1557), seq 348045
>  Flags [.], cksum 0x6705 (incorrect -> 0x8ce1), seq 356805
>  Flags [.], cksum 0x4a81 (incorrect -> 0x23bb), seq 368485
>  Flags [.], cksum 0x44cd (incorrect -> 0xba3c), seq 402065
>  Flags [.], cksum 0x44cd (incorrect -> 0x9696), seq 418125
>  Flags [.], cksum 0x4a81 (incorrect -> 0xef8c), seq 421045
>  Flags [.], cksum 0x4a81 (incorrect -> 0xda29), seq 428345
>  Flags [P.], cksum 0x44cd (incorrect -> 0xe4c1), seq 434185
>  Flags [.], cksum 0x44cd (incorrect -> 0x91e7), seq 437105
>  Flags [.], cksum 0x44cd (incorrect -> 0x9e95), seq 442945
>  Flags [.], cksum 0x4a81 (incorrect -> 0x8aaf), seq 445865
>  Flags [.], cksum 0x44cd (incorrect -> 0x08ac), seq 454625
>  Flags [.], cksum 0x44cd (incorrect -> 0x1815), seq 457545
>  Flags [.], cksum 0x44cd (incorrect -> 0xba15), seq 467765
>  Flags [.], cksum 0x44cd (incorrect -> 0xc270), seq 470685
>  Flags [.], cksum 0x44cd (incorrect -> 0x8612), seq 475065
>  Flags [.], cksum 0x44cd (incorrect -> 0xd14c), seq 479445
>  Flags [P.], cksum 0x4089 (incorrect -> 0xccaa), seq 482365
>
> When I corrected the checksums on the file you sent me:
>
>  06/20-13:47:35.353332  [**] [1:16425:15] FILE-IDENTIFY Portable
> Executable binary file download request [**] [Classification: Misc
> activity] [Priority: 3] {TCP}
> 06/20-13:47:35.560161  [**] [1:16425:15] FILE-IDENTIFY Portable Executable
> binary file download request [**] [Classification: Misc activity]
> [Priority: 3] {TCP}
> 06/20-13:47:35.769947  [**] [1:25514:1] FILE-IDENTIFY Portable Executable
> download detected [**] [Classification: Misc activity] [Priority: 3] {TCP}
> 06/20-13:47:35.769947  [**] [1:25515:1] FILE-IDENTIFY Portable Executable
> binary file magic detected [**] [Classification: Misc activity] [Priority:
> 3] {TCP}
> 06/20-13:47:42.628989  [**] [1:20486:10] FILE-IDENTIFY RTF file magic
> detected [**] [Classification: Misc activity] [Priority: 3] {TCP}
>
> *again, with stripped out IPs*
> *
> *
> Either way I get alerts, but the second time I got an alert for RTF file
> magic as well, so it's quite obvious that the checksums are having some
> kind of affect over there.
>
> Try running Snort with "-k none" added to your command line to turn off
> checksum validation and see if you get an alert.
>
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130621/cb4eb6ac/attachment.html>


More information about the Snort-users mailing list