[Snort-users] help with file bpf and ip 0.0.0.0

Al Lewis (allewi) allewi at ...589...
Fri Feb 12 08:59:19 EST 2016


Not sure if you saw this before but I sent you a message back on 1/22/16.

Your issue is probably with BASE summarizing events or your logging format. Have you looked at the log files from snort directly and not from within BASE?

Can you run snort with "-Acmg  -H -U -k none" and see if you get any alerts with this address?

I have a rule with " alert tcp $HOME_NET any -> any any (sid:1000001; msg:"TEST")" using your ' ipvar HOME_NET [192.168.1.66/24]'

I don't get any alerts with 0.0.0.0 in them. I do get a TON of these (see below I clipped a bunch off) which could be the output logging is summarizing.


[root at ...17442... snort-2.9.8.0-build_229]# ./bin/snort -c etc/ZERO.conf -r etc/ZERO.pcap -Acmg -H -U -k none -q | grep -i TEST
01/22-16:38:11.806576  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:11.896482  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:11.896600  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.184956  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.218249  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.226693  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.245704  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36526 -> 194.9.94.80:80
01/22-16:38:12.246559  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36527 -> 194.9.94.80:80
01/22-16:38:12.267310  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36528 -> 194.9.94.80:80
01/22-16:38:12.345081  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.354908  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.360292  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80
01/22-16:38:12.382499  [**] [1:1000001:0] TEST [**] [Priority: 0] {TCP} 192.168.1.66:36525 -> 194.9.94.80:80



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: hernani coelho [mailto:hernani_coelho at ...4664...]
Sent: Saturday, January 23, 2016 12:49 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] help with file bpf and ip 0.0.0.0


i install snorby for to see alerts
and i have alerts from src 64.4.8.0 to dst 0.0.0.0
how can i stop alerts from 64.4.8.0 or to dst 0.0.0.0
i send a photo snorby

thanks

hernani
On 21-01-2016 12:11, Joel Esler (jesler) wrote:
Port 80 is not something you want to ignore.  Considering a large number of attacks take place on port 80.

Sent from my iPhone

On Jan 21, 2016, at 6:05 AM, hernani coelho <hernani_coelho at ...4664...<mailto:hernani_coelho at ...4664...>> wrote:

On 20-01-2016 21:52, Joel Esler (jesler) wrote:

On Jan 20, 2016, at 1:10 PM, hernani coelho <hernani_coelho at ...4664...<mailto:hernani_coelho at ...4664...>> wrote:



On 20-01-2016 17:55, wkitty42 at ...14940...<mailto:wkitty42 at ...14940...> wrote:

On 01/20/2016 12:03 PM, hernani coelho wrote:

now i see if i search an web page snort give me alerts like this -->

#0-(1-7731)
<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%230-%281-7731%29&sort_order=>
[snort <http://www.snort.org/search/sid/119-15>] http_inspect: OVERSIZE
REQUEST-URI DIRECTORY 2016-01-20 16:59:34 192.168.1.66
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask=32>:57514
95.172.94.15
<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=95.172.94.15&netmask32>:80
TCP


is safe to ignore port 80??
IMHO, absolutely not...

if you are getting oversize reports like that, you can increase the size of your
oversize_dir_length setting in the http_inspect preprocessor section of your
snort.conf file... we use 750 here but you may need a larger or smaller value
depending on the traffic on your network...


i have lots of alert from port 80, how can i stop alerts  from port 80?

#41-(1-30)<http://192.168.1.66/base-1.4.5/base_qry_alert.php?submit=%2341-%281-30%29&sort_order=time_d>

[snort<http://www.snort.org/search/sid/129-12>] stream5: TCP Small Segment Threshold Exceeded

2016-01-21 10:46:46

195.23.51.104<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=195.23.51.104&netmask=32>:80

192.168.1.66<http://192.168.1.66/base-1.4.5/base_stat_ipaddr.php?ip=192.168.1.66&netmask32>:60009

TCP


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160212/0226cd06/attachment.html>


More information about the Snort-users mailing list