[Snort-users] why UDP disc acquire?

Al Lewis (allewi) allewi at ...589...
Sat Jun 25 09:22:02 EDT 2016


You may need to adjust your wireshark settings. Wireshark lists them as “malformed ISAKMP” packets.


Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>


From: Andrei_1980 <andrei_1980 at ...1975...<mailto:andrei_1980 at ...1975...>>
Date: Saturday, June 25, 2016 at 5:01 AM
To: allewi <allewi at ...589...<mailto:allewi at ...589...>>, 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] why UDP disc acquire?

Why you think that udp packet malformed? Tools like wireshark, tcpdump and tcpreplay handle it correctly.  This packets have only wrong checksum, but i disable checksum control in Snort by using option "-k none".



24.06.2016 19:05, Al Lewis (allewi) пишет:

It looks like snort is discarding them because they are all malformed.

Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: <mailto:allewi at ...589...> allewi at ...589...<mailto:allewi at ...589...>


From: Andrei_1980 <<mailto:andrei_1980 at ...1975...>andrei_1980 at ...1975...<mailto:andrei_1980 at ...1975...>>
Date: Friday, June 24, 2016 at 11:28 AM
To: allewi <<mailto:allewi at ...589...>allewi at ...589...<mailto:allewi at ...589...>>, 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] why UDP disc acquire?

hmm, strange. I,m attach pcap to first message. Ok reatach to this message.

On 24.06.2016 18:22, Al Lewis (allewi) wrote:
Hello,

Can you provide us with the pcap or a sample of it?


Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: <mailto:allewi at ...589...> allewi at ...589...<mailto:allewi at ...589...>


From: Andrei_1980 <andrei_1980 at ...1975...<mailto:andrei_1980 at ...1975...>>
Date: Friday, June 24, 2016 at 11:06 AM
To: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: [Snort-users] why UDP disc acquire?

Hi all. I use snort 2.9.8.2 A have some pcap file for old attack (see attach) .  It contain only udp packets.
I wrote test rule:

alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype: attempted-dos; sid:1000001; rev:1;)

and run snort:

snort  -c ./etc/snort.conf -A console -K none  -k none  -r ./pcaps/DOS_Nbisakmp.pcap

and get no alerts. In output stats i have:

...........
Packet I/O Totals:
   Received:          100
   Analyzed:          100 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
.....................

Breakdown by protocol (includes rebuilt packets):
        Eth:          100 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          100 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:          100 (100.000%)
...................
 UDP Disc:          100 (100.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:          100 (100.000%)

(full output and snort.conf see in attach)


If i change rule  (udp to ip)  :

alert ip any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype: attempted-dos; sid:1000001; rev:1;)
all packets generate alerts.


So, why UDP packets in sample pcap discarded if i use udp protocol in alert?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160625/b5a0eaad/attachment.html>


More information about the Snort-users mailing list