[Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?

Claus Regelmann rgc at ...17118...
Fri Apr 8 17:39:39 EDT 2016


great hint!!!
I didn't realize the impacts of this option before.
THANKS
Claus
On 04/08/2016 10:22 PM, Y M wrote:> Would using "-k none" when running Snort helps?
 >
 > YM
 >
 > ________________________________________

On 04/08/2016 10:22 PM, Y M wrote:
> Would using "-k none" when running Snort helps?
>
> YM
>
> ________________________________________
> From: Claus Regelmann <rgc at ...17118...>
> Sent: Friday, April 8, 2016 7:19 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?
>
> I dove into the source code and eventually found a solution that work at least in 'my' environment:
> Packet error are checked in function "Preprocess" (file decode.c).
> This checking includes checksum error. If a packet comes from a local process, and is
> captured before it goes on to the real HW, is there a valid checksum? It does not seem so!
> I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch:
> -- 8< ------------ >8 --
> diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c
> --- snort-2.9.8.2/src/detect.c  2016-03-18 14:54:31.000000000 +0100
> +++ snort-2.9.8.2-cr/src/detect.c       2016-04-08 16:04:47.000000000 +0200
> @@ -199,15 +199,14 @@
>    #endif
>
>        // If the packet has errors, we won't analyze it.
> -    if ( p->error_flags )
> +    if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors
>        {
>            // process any decoder alerts now that policy has been selected...
>            DecodePolicySpecific(p);
>
>            //actions are queued only for IDS case
>            sfActionQueueExecAll(decoderActionQ);
> -        DEBUG_WRAP(DebugMessage(DEBUG_DETECT,
> -            "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags););
> +        LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);
>
>            if ( p->error_flags & PKT_ERR_BAD_TTL )
>                pc.bad_ttl++;
> -- 8< ------------ >8 --
>
> Shouldn't DAQ revise this checksum problem before ?
>
> --------------
> Claus Regelmann
>
>
> On 03/19/2016 12:15 AM, Claus Regelmann wrote:
>> Hello,
>>
>> my snort runs on a small ATOM-based firewall between the internet router and the internal net.
>>
>> +------------- +                        +----------+
>> | (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net
>> +--------------+ ^                    ^ +----------+
>>       192.168.178.1 +                    |192.168.178.240
>>                                          +-- snort listen here in passive mode
>>
>> Test cases:
>>
>> 1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall.
>> The result is OK, two alerts:
>> --8< ------ >8--
>>        ID       < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
>> #0-(1-90832)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:22:19.993 192.168.178.240:40533   87.106.18.216:4483      TCP
>> #1-(1-90830)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:17:02.652 10.1.1.5:53410  87.106.18.216:4483      TCP
>> --8< ------ >8--
>>
>> 2.) The router hosts a DNS-forwarder.
>> I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host.
>> But now only the query from the internal host alerts:
>> --8< ------ >8--
>>         ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
>> #0-(1-90896)  [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org  2016-03-18 22:44:06.68  10.1.1.5:54346  192.168.178.1:53        UDP
>> --8< ------ >8--
>>
>> 3.) I wrote a small test rule:
>>        'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'.
>> I run 'wget http://...../abcdef01/zzz' on the firewall and the internal host.
>> Again, only the internal case alerts:
>> --8< ------ >8--
>>         ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
>> #0-(1-90897)  [snort] RgC: TEST pattern found         2016-03-18 23:06:51.482         10.1.1.5:37733  193.99.144.85:80        TCP
>> --8< ------ >8--
>>
>> The 1st case only inspects header informations.
>> The last two cases need the payload.
>>
>> * Has anybody an idea, what's going wrong here ??? *
>>
>> I run snort version 2.9.7.6, self-compiled from sources (LFS).
>> My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]'
>>
>> Thank You
>> Claus Regelmann
>>
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>






More information about the Snort-users mailing list