[Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?

Claus Regelmann rgc at ...17118...
Mon Apr 11 18:35:59 EDT 2016


But there are lots of 'false-positives', concering DNS, if I use the runtime option "-k none".
About 300 within 10 minutes.

Claus
-----------------
	< <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature > <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_d> 	< <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification > <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_d> 	< <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total # > <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_d> 	 Sensor # 	< <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address > <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_d> 	< <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address > <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_d> 	< <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_a> First > <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_d> 	< <http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_a> Last > 
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_d>
	[cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690>] [url <http://technet.microsoft.com/en-us/security/bulletin/MS10-024>] [snort <http://www.snort.org/search/sid/3-21355>] PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid 	attempted-recon 	187 <http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1&submit=Query+DB&num_result_rows=-1>(67%) 	1 <http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1> 	103 <http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255> 	1 <http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255> 	2016-04-10 12:59:06.542 	2016-04-10 13:05:51.522
	[cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889>] [url <http://technet.microsoft.com/en-us/security/bulletin/MS11-040>] [snort <http://www.snort.org/search/sid/3-19187>] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt 	attempted-user 	92 <http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1&submit=Query+DB&num_result_rows=-1>(33%) 	1 <http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1> 	50 <http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274> 	1 <http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274> 	2016-04-10 12:57:29.458 	2016-04-10 13:05:52.782


Ex 1:
Meta 	
ID # 	Time 	Triggered Signature
1 - 71408 	2016-04-10 13:05:52.782 	[cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889>] [url <http://technet.microsoft.com/en-us/security/bulletin/MS11-040>] [snort <http://www.snort.org/search/sid/3-19187>] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

Sensor 	Sensor Address 	Interface 	Filter
rgc1:eth0 	eth0 	/none/

Alert Group 	/none/

IP 	
Source Address 	 Dest. Address 	Ver 	Hdr Len 	TOS 	length 	ID 	fragment 	offset 	TTL 	chksum
204.13.251.13 <http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.13&netmask=32> 	192.168.178.240 <http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32> 	4 	20 	0 	200 	2679 	no 	0 	54 	65273
= 0xfef9

Options 	/none /

UDP 	
source port 	dest port 	length
53
[sans <http://isc.sans.org/port.html?port=53>] [tantalo <http://ports.tantalo.net/?q=53>] [sstats <http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53>] 	1874
[sans <http://isc.sans.org/port.html?port=1874>] [tantalo <http://ports.tantalo.net/?q=1874>] [sstats <http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=1874>] 	180

Payload

Plain Display <http://rgc1/base/base_qry_alert.php?submit=%230-%281-71408%29&sort_order=&asciiclean=1>


Download of Payload <http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=1&cid=71408&sid=1&asciiclean=0>


Download in pcap format <http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=3&cid=71408&sid=1&asciiclean=0>

	

  length = 172

000 : 2A 12 84 00 00 01 00 08 00 00 00 01 02 65 31 08   *............e1.
010 : 77 68 61 74 73 61 70 70 03 6E 65 74 00 00 01 00   whatsapp.net....
020 : 01 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
030 : A8 C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D D6   ..............-.
040 : E5 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
050 : A9 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
060 : AB C0 0C 00 01 00 01 00 00 0E 10 00 04 9E 55 3A   ..............U:
070 : 4D C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D DB   M.............-.
080 : FD C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C1 CD   ................
090 : 18 C0 0C 00 01 00 01 00 00 0E 10 00 04 AE 24 D2   ..............$.
0a0 : 2E 00 00 29 10 00 00 00 80 00 00 00               ...)........

Ex 2:
Meta 	
ID # 	Time 	Triggered Signature
1 - 71407 	2016-04-10 13:05:51.522 	[cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690>] [icat <http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690>] [url <http://technet.microsoft.com/en-us/security/bulletin/MS10-024>] [snort <http://www.snort.org/search/sid/3-21355>] PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid

Sensor 	Sensor Address 	Interface 	Filter
rgc1:eth0 	eth0 	/none/

Alert Group 	/none/

IP 	
Source Address 	 Dest. Address 	Ver 	Hdr Len 	TOS 	length 	ID 	fragment 	offset 	TTL 	chksum
204.13.251.3 <http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.3&netmask=32> 	192.168.178.240 <http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32> 	4 	20 	0 	88 	32280 	no 	0 	54 	35794
= 0x8bd2

Options 	/none /

UDP 	
source port 	dest port 	length
53
[sans <http://isc.sans.org/port.html?port=53>] [tantalo <http://ports.tantalo.net/?q=53>] [sstats <http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53>] 	30215
[sans <http://isc.sans.org/port.html?port=30215>] [tantalo <http://ports.tantalo.net/?q=30215>] [sstats <http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=30215>] 	68

Payload

Plain Display <http://rgc1/base/base_qry_alert.php?submit=%20Next%20%23185-%281-71407%29&sort_order=&asciiclean=1>


Download of Payload <http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=1&cid=71407&sid=1&asciiclean=0>


Download in pcap format <http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=3&cid=71407&sid=1&asciiclean=0>

	

  length = 60

000 : FB 71 84 00 00 01 00 01 00 00 00 01 0B 73 6F 75   .q...........sou
010 : 72 63 65 66 6F 72 67 65 03 6E 65 74 00 00 01 00   rceforge.net....
020 : 01 C0 0C 00 01 00 01 00 00 01 2C 00 04 D8 22 B5   ..........,...".
030 : 3C 00 00 29 10 00 00 00 80 00 00 00               <..)........




On 04/08/2016 11:39 PM, Claus Regelmann wrote:
> great hint!!!
> I didn't realize the impacts of this option before.
> THANKS
> Claus
> On 04/08/2016 10:22 PM, Y M wrote:> Would using "-k none" when running Snort helps?
>   >
>   > YM
>   >
>   > ________________________________________
>
> On 04/08/2016 10:22 PM, Y M wrote:
>> Would using "-k none" when running Snort helps?
>>
>> YM
>>
>> ________________________________________
>> From: Claus Regelmann <rgc at ...17118...>
>> Sent: Friday, April 8, 2016 7:19 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?
>>
>> I dove into the source code and eventually found a solution that work at least in 'my' environment:
>> Packet error are checked in function "Preprocess" (file decode.c).
>> This checking includes checksum error. If a packet comes from a local process, and is
>> captured before it goes on to the real HW, is there a valid checksum? It does not seem so!
>> I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch:
>> -- 8< ------------ >8 --
>> diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c
>> --- snort-2.9.8.2/src/detect.c  2016-03-18 14:54:31.000000000 +0100
>> +++ snort-2.9.8.2-cr/src/detect.c       2016-04-08 16:04:47.000000000 +0200
>> @@ -199,15 +199,14 @@
>>     #endif
>>
>>         // If the packet has errors, we won't analyze it.
>> -    if ( p->error_flags )
>> +    if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors
>>         {
>>             // process any decoder alerts now that policy has been selected...
>>             DecodePolicySpecific(p);
>>
>>             //actions are queued only for IDS case
>>             sfActionQueueExecAll(decoderActionQ);
>> -        DEBUG_WRAP(DebugMessage(DEBUG_DETECT,
>> -            "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags););
>> +        LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);
>>
>>             if ( p->error_flags & PKT_ERR_BAD_TTL )
>>                 pc.bad_ttl++;
>> -- 8< ------------ >8 --
>>
>> Shouldn't DAQ revise this checksum problem before ?
>>
>> --------------
>> Claus Regelmann
>>
>>
>> On 03/19/2016 12:15 AM, Claus Regelmann wrote:
>>> Hello,
>>>
>>> my snort runs on a small ATOM-based firewall between the internet router and the internal net.
>>>
>>> +------------- +                        +----------+
>>> | (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net
>>> +--------------+ ^                    ^ +----------+
>>>        192.168.178.1 +                    |192.168.178.240
>>>                                           +-- snort listen here in passive mode
>>>
>>> Test cases:
>>>
>>> 1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall.
>>> The result is OK, two alerts:
>>> --8< ------ >8--
>>>         ID       < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
>>> #0-(1-90832)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:22:19.993 192.168.178.240:40533   87.106.18.216:4483      TCP
>>> #1-(1-90830)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:17:02.652 10.1.1.5:53410  87.106.18.216:4483      TCP
>>> --8< ------ >8--
>>>
>>> 2.) The router hosts a DNS-forwarder.
>>> I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host.
>>> But now only the query from the internal host alerts:
>>> --8< ------ >8--
>>>          ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
>>> #0-(1-90896)  [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org  2016-03-18 22:44:06.68  10.1.1.5:54346  192.168.178.1:53        UDP
>>> --8< ------ >8--
>>>
>>> 3.) I wrote a small test rule:
>>>         'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'.
>>> I run 'wget http://...../abcdef01/zzz' on the firewall and the internal host.
>>> Again, only the internal case alerts:
>>> --8< ------ >8--
>>>          ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
>>> #0-(1-90897)  [snort] RgC: TEST pattern found         2016-03-18 23:06:51.482         10.1.1.5:37733  193.99.144.85:80        TCP
>>> --8< ------ >8--
>>>
>>> The 1st case only inspects header informations.
>>> The last two cases need the payload.
>>>
>>> * Has anybody an idea, what's going wrong here ??? *
>>>
>>> I run snort version 2.9.7.6, self-compiled from sources (LFS).
>>> My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]'
>>>
>>> Thank You
>>> Claus Regelmann
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Transform Data into Opportunity.
>>> Accelerate data analysis in your applications with
>>> Intel Data Analytics Acceleration Library.
>>> Click to learn more.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Find and fix application performance issues faster with Applications Manager
>> Applications Manager provides deep performance insights into multiple tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
>> gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160412/2e231b97/attachment.html>


More information about the Snort-users mailing list