[Snort-users] Something is wrong with snort logging?

fatema bannatwala fatema.bannatwala at ...11827...
Tue Nov 8 09:54:30 EST 2016


For some reason the message bounced back, here is what I sent (if this
email gets thru):

> Hi YM,
>
> Thanks for some pointers.
> I think it isn't a size limitation because the alert that had "clntnetid="
> was about 20% longer than the one I mentioned in this email.
> The logs are getting logged in their native unified2 format, and then
> barnyard pushes it to a postgres DB where the payload is stored in hex.
> Then we have a script that queries the snort DB and prints out the
> information in text (i.e converts the hex payload into text) and that's how
> the alert looks like after querying the DB (the one I used in this email.
> replacing "\n" with '::~~')
>
> I didn't change anything for the HTTP preprocessor, and been using it with
> all the default settings:
>
> http_processor :
> # HTTP normalization and anomaly detection.  For more information, see
> README.http_inspect
> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> compress_depth 65535 decompress_depth 65535
> preprocessor http_inspect_server: server default \
>     http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
> POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
> TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
> BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
> RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
>     chunk_length 500000 \
>     server_flow_depth 0 \
>     client_flow_depth 0 \
>     post_depth 65495 \
>     oversize_dir_length 500 \
>     max_header_length 750 \
>     max_headers 100 \
>     max_spaces 200 \
>     small_chunk_length { 10 5 } \
>     ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631
> 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301
> 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117
> 5250 5600 5814 6080 6173 6988 7000 7001 7005 7071 7144 7145 75
> 10 7770 7777 7778 7779 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081
> 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300
>  8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060
> 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 1260
> 1 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080 44449 50000
> 50002 51423 53331 55252 55555 56712 } \
>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
>     enable_cookie \
>     extended_response_inspection \
>     inspect_gzip \
>     normalize_utf \
>     unlimited_decompress \
>     normalize_javascript \
>     apache_whitespace no \
>     ascii no \
>     bare_byte no \
>     directory no \
>     double_decode no \
>     iis_backslash no \
>     iis_delimiter no \
>     iis_unicode no \
>     multi_slash no \
>     utf_8 no \
>     u_encode yes \
>     webroot no
>
> On Tue, Nov 8, 2016 at 4:28 AM, Y M <snort at ...15979...> wrote:
>
>> A quick look at this it could be a number of things. Your rule does not
>> specify where in the payload/HTTP request to look for the content
>> "clntnetid=", so the HTTP body could be a few bytes or a large number of
>> bytes. Snort will usually capture 3-5 (maybe?) packets that triggered the
>> rule. The HTTP body may have few bytes that fit into these 3-5 packets or
>> they are further down the HTTP stream. It maybe (again) similar to the
>> log_uri buffer length where in some occeasions get the uri logged and in
>> others it won't due lengthy URIs.
>>
>>
>> - Are you logging in binary format (unified2)? How doe the data look
>> there? Your log looks like it is in Full format.
>>
>> - What are the configurations of your http_processor?
>>
>>
>> While this response more guesses than answers, i hope it puts you in the
>> right direction.
>>
>>
>> YM
>>
>>
>> ------------------------------
>> *From:* fatema bannatwala <fatema.bannatwala at ...11827...>
>> *Sent:* Monday, November 7, 2016 9:45:53 PM
>> *To:* snort-users at lists.sourceforge.net
>> *Subject:* [Snort-users] Something is wrong with snort logging?
>>
>> Hi,
>>
>> I have a snort rule:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
>> Successful Generic Phish 2016-09-23"; flow:to_server,established;
>> content:"POST"; http_method; content:".php"; http_uri;
>> content:"clntnetid="; depth:10; fast_pattern; http_client_body;
>> content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030;
>> rev:1;)
>>
>> The following event shouldn't trigger without a "clntnetid" in the string
>> so it
>> looks like some data isn't getting logged into the snort tables:
>>
>> [1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23
>> 2016-11-07 04:26:06.103000-05:00 1.2.3.4:54862
>> <http://128.4.132.252:54862/> -> 185.8.63.111:80 <http://185.8.63.111/>
>> TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php
>> HTTP/1.1::~~Host: www.anjo.lv::~~Content-Type:
>> application/x-www-form-urlencoded::~~Origin: null::~~Content-Length:
>> 143::~~Connection: keep-alive::~~Accept: text/h
>> tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::~~User-Agent:
>> Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X)
>> AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70
>> Safari/600.1.4::~~Accept-Language:
>>  en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~
>>
>> Other event that triggered this alert had "clntnetid" in the data string.
>> Not sure if the events that are triggering this alert are having that
>> string in data and snort is not logging it in database, or something is not
>> correct with the rule that is causing it to trigger for the events NOT
>> having that particular string in the data.
>>
>> Snort version - 2.9.8.3
>> barnyard version - 2-1.9
>> pulledpork - 0.7.0
>>
>> Did anyone knows what might be going on?
>>
>> Thanks,
>> Fatema.
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161108/a8bfb57a/attachment.html>


More information about the Snort-users mailing list