[Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?

Y M snort at ...15979...
Tue Apr 12 06:35:34 EDT 2016


Are you using the "-k none" on production? It is "usually" preferred to use this option on/while testing rather than in production. What is the checksum option in your snort.conf?

In this case, the only potential candidate problem is the NIC checksum, offloading stuff. Use ethtool to disable these lro, gro, etc.. And then test again without the "-k none"

YM

Sent from Mobile




On Mon, Apr 11, 2016 at 3:37 PM -0700, "Claus Regelmann" <rgc at ...17118...<mailto:rgc at ...17118...>> wrote:

But there are lots of 'false-positives', concering DNS, if I use the runtime option "-k none".
About 300 within 10 minutes.

Claus
-----------------
         <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature ><http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_d>   <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification ><http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_d>          <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total # ><http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_d>         Sensor #        <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address ><http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_d>          <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address ><http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_d>   <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_a> First ><http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_d>   <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_a> Last ><http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_d>
        [cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS10-024>] [snort<http://www.snort.org/search/sid/3-21355>] PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid   attempted-recon         187<http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1&submit=Query+DB&num_result_rows=-1>(67%)    1<http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1>     103<http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255>        1<http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255>  2016-04-10 12:59:06.542         2016-04-10 13:05:51.522
        [cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS11-040>] [snort<http://www.snort.org/search/sid/3-19187>] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt       attempted-user  92<http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1&submit=Query+DB&num_result_rows=-1>(33%)     1<http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1>     50<http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274>         1<http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274>  2016-04-10 12:57:29.458         2016-04-10 13:05:52.782

Ex 1:
Meta
ID #    Time    Triggered Signature
1 - 71408       2016-04-10 13:05:52.782 [cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS11-040>] [snort<http://www.snort.org/search/sid/3-19187>] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

Sensor  Sensor Address  Interface       Filter
rgc1:eth0       eth0     none

Alert Group       none

IP
Source Address   Dest. Address  Ver     Hdr Len TOS     length  ID      fragment        offset  TTL     chksum
204.13.251.13<http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.13&netmask=32>        192.168.178.240<http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32>    4       20      0       200     2679    no      0       54      65273
= 0xfef9

Options     none

UDP
source port     dest port       length
53
[sans<http://isc.sans.org/port.html?port=53>] [tantalo<http://ports.tantalo.net/?q=53>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53>]         1874
[sans<http://isc.sans.org/port.html?port=1874>] [tantalo<http://ports.tantalo.net/?q=1874>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=1874>]   180

Payload

Plain Display<http://rgc1/base/base_qry_alert.php?submit=%230-%281-71408%29&sort_order=&asciiclean=1>

Download of Payload<http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=1&cid=71408&sid=1&asciiclean=0>

Download in pcap format<http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=3&cid=71408&sid=1&asciiclean=0>


 length = 172

000 : 2A 12 84 00 00 01 00 08 00 00 00 01 02 65 31 08   *............e1.
010 : 77 68 61 74 73 61 70 70 03 6E 65 74 00 00 01 00   whatsapp.net....
020 : 01 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
030 : A8 C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D D6   ..............-.
040 : E5 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
050 : A9 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE   ................
060 : AB C0 0C 00 01 00 01 00 00 0E 10 00 04 9E 55 3A   ..............U:
070 : 4D C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D DB   M.............-.
080 : FD C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C1 CD   ................
090 : 18 C0 0C 00 01 00 01 00 00 0E 10 00 04 AE 24 D2   ..............$.
0a0 : 2E 00 00 29 10 00 00 00 80 00 00 00               ...)........



Ex 2:
Meta
ID #    Time    Triggered Signature
1 - 71407       2016-04-10 13:05:51.522 [cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS10-024>] [snort<http://www.snort.org/search/sid/3-21355>] PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid

Sensor  Sensor Address  Interface       Filter
rgc1:eth0       eth0     none

Alert Group       none

IP
Source Address   Dest. Address  Ver     Hdr Len TOS     length  ID      fragment        offset  TTL     chksum
204.13.251.3<http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.3&netmask=32>  192.168.178.240<http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32>    4       20      0       88      32280   no      0       54      35794
= 0x8bd2

Options     none

UDP
source port     dest port       length
53
[sans<http://isc.sans.org/port.html?port=53>] [tantalo<http://ports.tantalo.net/?q=53>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53>]         30215
[sans<http://isc.sans.org/port.html?port=30215>] [tantalo<http://ports.tantalo.net/?q=30215>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=30215>]        68

Payload

Plain Display<http://rgc1/base/base_qry_alert.php?submit=%20Next%20%23185-%281-71407%29&sort_order=&asciiclean=1>

Download of Payload<http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=1&cid=71407&sid=1&asciiclean=0>

Download in pcap format<http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=3&cid=71407&sid=1&asciiclean=0>


 length = 60

000 : FB 71 84 00 00 01 00 01 00 00 00 01 0B 73 6F 75   .q...........sou
010 : 72 63 65 66 6F 72 67 65 03 6E 65 74 00 00 01 00   rceforge.net....
020 : 01 C0 0C 00 01 00 01 00 00 01 2C 00 04 D8 22 B5   ..........,...".
030 : 3C 00 00 29 10 00 00 00 80 00 00 00               <..)........





On 04/08/2016 11:39 PM, Claus Regelmann wrote:

great hint!!!
I didn't realize the impacts of this option before.
THANKS
Claus
On 04/08/2016 10:22 PM, Y M wrote:> Would using "-k none" when running Snort helps?
 >
 > YM
 >
 > ________________________________________

On 04/08/2016 10:22 PM, Y M wrote:


Would using "-k none" when running Snort helps?

YM

________________________________________
From: Claus Regelmann <rgc at ...17118...><mailto:rgc at ...17118...>
Sent: Friday, April 8, 2016 7:19 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on?

I dove into the source code and eventually found a solution that work at least in 'my' environment:
Packet error are checked in function "Preprocess" (file decode.c).
This checking includes checksum error. If a packet comes from a local process, and is
captured before it goes on to the real HW, is there a valid checksum? It does not seem so!
I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch:
-- 8< ------------ >8 --
diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c
--- snort-2.9.8.2/src/detect.c  2016-03-18 14:54:31.000000000 +0100
+++ snort-2.9.8.2-cr/src/detect.c       2016-04-08 16:04:47.000000000 +0200
@@ -199,15 +199,14 @@
   #endif

       // If the packet has errors, we won't analyze it.
-    if ( p->error_flags )
+    if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors
       {
           // process any decoder alerts now that policy has been selected...
           DecodePolicySpecific(p);

           //actions are queued only for IDS case
           sfActionQueueExecAll(decoderActionQ);
-        DEBUG_WRAP(DebugMessage(DEBUG_DETECT,
-            "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags););
+        LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);

           if ( p->error_flags & PKT_ERR_BAD_TTL )
               pc.bad_ttl++;
-- 8< ------------ >8 --

Shouldn't DAQ revise this checksum problem before ?

--------------
Claus Regelmann


On 03/19/2016 12:15 AM, Claus Regelmann wrote:


Hello,

my snort runs on a small ATOM-based firewall between the internet router and the internal net.

+------------- +                        +----------+
| (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net
+--------------+ ^                    ^ +----------+
      192.168.178.1 +                    |192.168.178.240
                                         +-- snort listen here in passive mode

Test cases:

1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall.
The result is OK, two alerts:
--8< ------ >8--
       ID       < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
#0-(1-90832)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:22:19.993 192.168.178.240:40533   87.106.18.216:4483      TCP
#1-(1-90830)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        2016-03-18 03:17:02.652 10.1.1.5:53410  87.106.18.216:4483      TCP
--8< ------ >8--

2.) The router hosts a DNS-forwarder.
I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host.
But now only the query from the internal host alerts:
--8< ------ >8--
        ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
#0-(1-90896)  [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org  2016-03-18 22:44:06.68  10.1.1.5:54346  192.168.178.1:53        UDP
--8< ------ >8--

3.) I wrote a small test rule:
       'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'.
I run 'wget http://...../abcdef01/zzz' on the firewall and the internal host.
Again, only the internal case alerts:
--8< ------ >8--
        ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < Layer 4 Proto >
#0-(1-90897)  [snort] RgC: TEST pattern found         2016-03-18 23:06:51.482         10.1.1.5:37733  193.99.144.85:80        TCP
--8< ------ >8--

The 1st case only inspects header informations.
The last two cases need the payload.

* Has anybody an idea, what's going wrong here ??? *

I run snort version 2.9.7.6, self-compiled from sources (LFS).
My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]'

Thank You
Claus Regelmann


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160412/76cea139/attachment.html>


More information about the Snort-users mailing list