[Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?

Claus Regelmann rgc at ...17118...
Fri Apr 8 15:19:57 EDT 2016


I dove into the source code and eventually found a solution that work at least in 'my' environment:
Packet error are checked in function "Preprocess" (file decode.c).
This checking includes checksum error. If a packet comes from a local process, and is
captured before it goes on to the real HW, is there a valid checksum? It does not seem so!
I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch:
-- 8< ------------ >8 --
diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c
--- snort-2.9.8.2/src/detect.c  2016-03-18 14:54:31.000000000 +0100
+++ snort-2.9.8.2-cr/src/detect.c       2016-04-08 16:04:47.000000000 +0200
@@ -199,15 +199,14 @@
  #endif

      // If the packet has errors, we won't analyze it.
-    if ( p->error_flags )
+    if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors
      {
          // process any decoder alerts now that policy has been selected...
          DecodePolicySpecific(p);

          //actions are queued only for IDS case
          sfActionQueueExecAll(decoderActionQ);
-        DEBUG_WRAP(DebugMessage(DEBUG_DETECT,
-            "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags););
+        LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);

          if ( p->error_flags & PKT_ERR_BAD_TTL )
              pc.bad_ttl++;
-- 8< ------------ >8 --

Shouldn't DAQ revise this checksum problem before ?

--------------
Claus Regelmann


On 03/19/2016 12:15 AM, Claus Regelmann wrote:
> Hello,
>
> my snort runs on a small ATOM-based firewall between the internet router and the internal net.
>
> +------------- +                        +----------+
> | (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net
> +--------------+ ^                    ^ +----------+
>      192.168.178.1 +                    |192.168.178.240
>                                         +-- snort listen here in passive mode
>
> Test cases:
>
> 1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall.
> The result is OK, two alerts:
> --8< ------ >8--
> 	ID  	 < Signature >  	 < Timestamp >  	 < Source Address >  	 < Dest. Address >  	 < Layer 4 Proto >
> #0-(1-90832) 	[snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 	2016-03-18 03:22:19.993 192.168.178.240:40533 	87.106.18.216:4483 	TCP
> #1-(1-90830) 	[snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 	2016-03-18 03:17:02.652 10.1.1.5:53410 	87.106.18.216:4483 	TCP
> --8< ------ >8--
>
> 2.) The router hosts a DNS-forwarder.
> I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host.
> But now only the query from the internal host alerts:
> --8< ------ >8--
> 	 ID  	 < Signature >  	 < Timestamp >  	 < Source Address >  	 < Dest. Address >  	 < Layer 4 Proto >
> #0-(1-90896) 	[snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org 	2016-03-18 22:44:06.68 	10.1.1.5:54346 	192.168.178.1:53 	UDP
> --8< ------ >8--
>
> 3.) I wrote a small test rule:
> 	'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'.
> I run 'wget http://...../abcdef01/zzz' on the firewall and the internal host.
> Again, only the internal case alerts:
> --8< ------ >8--
> 	 ID  	 < Signature >  	 < Timestamp >  	 < Source Address >  	 < Dest. Address >  	 < Layer 4 Proto >
> #0-(1-90897) 	[snort] RgC: TEST pattern found 	2016-03-18 23:06:51.482 	10.1.1.5:37733 	193.99.144.85:80 	TCP
> --8< ------ >8--
>
> The 1st case only inspects header informations.
> The last two cases need the payload.
>
> * Has anybody an idea, what's going wrong here ??? *
>
> I run snort version 2.9.7.6, self-compiled from sources (LFS).
> My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]'
>
> Thank You
> Claus Regelmann
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>






More information about the Snort-users mailing list