[Snort-users] Snort-users Digest, Vol 129, Issue 18

Porncheewa PomHom porncheewa at ...11827...
Sat Feb 11 05:20:40 EST 2017


I don,t need snort

เมื่อ วันศุกร์ที่ 10 กุมภาพันธ์ ค.ศ. 2017, <
snort-users-request at lists.sourceforge.net> เขียนว่า:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net <javascript:;>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net <javascript:;>
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net <javascript:;>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
>
> Today's Topics:
>
>    1. Re: http_inspect missing requests (Russ)
>    2. Re: (no subject) (wkitty42 at ...14940... <javascript:;>)
>    3. Re: (no subject) (Russ)
>    4. Re: (no subject) (wkitty42 at ...14940... <javascript:;>)
>    5. Re: (no subject) (Joel Esler (jesler))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 9 Feb 2017 11:13:01 -0500
> From: Russ <rucombs at ...589... <javascript:;>>
> Subject: Re: [Snort-users] http_inspect missing requests
> To: Felix Erlacher <felix.erlacher at ...17726... <javascript:;>>,
>         "snort-users at lists.sourceforge.net <javascript:;>"
>         <snort-users at lists.sourceforge.net <javascript:;>>
> Message-ID: <292077f4-4e43-5c7a-e47b-fb6733319570 at ...589... <javascript:;>
> >
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> The raw and rebuilt packets undergo detection.  Check your shutdown
> stats under "Limits" for each run.  You may be hitting the match limit.
> See doc/README.counts for details.
>
> On 2/9/17 5:06 AM, Felix Erlacher wrote:
> > Thanks for the insightful and clarifying answer.
> > Does a similar behavior apply to the rule application engine as well?
> > As explained in my last mail, http_inspect states for both traces 10 GET
> > requests. So I assume that is what the application engine analyzes.  But
> > the number of alerts differs, although the payload, and thus the
> > searched pattern in the http_header, is the same in both traces.
> >
> > Thanks and greets
> >
> > felix
> >
> > On 08/02/17 18:11, Russ wrote:
> >> The http_inspect preprocessor has evolved over the years to become more
> >> stateful but retains some stateless processing which your new pcaps are
> >> exercising since they lack a full TCP session with 3-way handshake.
> >> Processing the bald data segments can lead to bogus results along with
> >> diminished performance.
> >>
> >> Consider the pcap with 10 fully overlapping segments.  Snort processed
> >> them all.  Within the context of a normal session, only one would be
> >> processed depending upon policy because only one would be delivered to
> >> the receiving TCP user.  In IDS mode Snort will handle the overlaps
> >> according to configured policy whereas in IPS mode Snort will ensure
> >> first wins and normalize subsequent overlaps to match.  So, normal
> >> traffic with a proper session will be processed more efficiently and
> >> more accurately.
> >>
> >> If you are curious, try crafting a full session for these two cases and
> >> see how it goes.  If you are extra curious, try out Snort++ instead
> >> which has a completely new http_inspect.
> >>
> >> On 2/8/17 6:39 AM, Felix Erlacher wrote:
> >>> Thanks for the help.
> >>> All GET requests where processed in inline mode like you proposed. Is
> >>> this because in IDS mode Snort works in post-ack inspection mode and in
> >>> inline (IPS) mode it does pre-ack inspection?
> >>> I couldn't find any information about this in the Snort manual.
> >>>
> >>> But there are still some questions regarding this trace.
> >>> You say that if packets are not ACKed, Snort will not look at them (if
> >>> not in IPS mode).
> >>> But if I put the same TCP payload in one segment (10GETonePanon.pcap)
> >>> and feed it to Snort, the http_inspect stats show me 10 GET requests.
> >>> But according to your last mail it shouldn't because the segment is not
> >>> ACKed.
> >>> (Again, I used the standard snort.conf from 2.9.9.0 in IDS mode with
> the
> >>> -k none switch)
> >>>
> >>> The same holds if I put every GET request in an individual packet,
> >>> resulting in 10 TCP segments (10indivGETanon.pcap). http_inspect tells
> >>> me it processed 10 GET requests altough none of the 10 packets was
> >>> ACKed. (They even have all the same SEQ numbers.)
> >>>
> >>> There is one difference betwee the two traces, though. The rule with
> sid
> >>> 2013504 from the Emerging Threats ruleset looks for
> >>> content:"APT-HTTP|2F|" in the http_header.
> >>> It fires 5 alerts for the 10GETonePanon.pcap trace but 10 alerts for
> the
> >>> 10indivGETanon.pcap trace. The payload can be found 10 times in both
> traces.
> >>>
> >>> It would be great if someone could give me some insights on this.
> >>>
> >>> greets
> >>>
> >>> felix
> >>>
> >>>
> >>> On 03/02/17 23:06, Russ wrote:
> >>>> The final 3 GET requests were not acknowledged by the TCP server and
> so
> >>>> weren't processed.  If you run in IPS mode you will see them get them
> >>>> processed.  To enable IPS mode, make sure you have
> >>>>
> >>>>       preprocessor normalize_tcp: ips
> >>>>
> >>>> in your conf and add these args to your command line:
> >>>>
> >>>>       --daq dump --daq-var load-mode=read-file -Q
> >>>>
> >>>> The dump DAQ allows you to test inline mode with pcaps (it will
> create a
> >>>> new pcap with only the packets allowed to pass); -Q enables inline
> mode;
> >>>> and normalize_tcp: ips enables stream normalization.
> >>>>
> >>>> On 2/3/17 1:27 PM, Felix Erlacher wrote:
> >>>>> Hi all,
> >>>>>
> >>>>> I have a pcap trace containing HTTP traffic. I began to wonder
> because
> >>>>> Snort did not trigger all alerts I was expecting. So I extracted the
> TCP
> >>>>> stream in question and looked at it more closely. My impression is
> that
> >>>>> for some reason the HTTP preprocessor is not parsing all GET
> requests.
> >>>>> If I load this trace in Wireshark, than "follow TCP stream", it
> shows me
> >>>>> 10 GET requests.
> >>>>> If I use ngrep to manually inspect the trace, I count 10 GET
> requests as
> >>>>> well.
> >>>>>
> >>>>> But the HTTP Inspect preprocessor of Snort tells me it found only 7
> GET
> >>>>> requests?!
> >>>>> What could possibly be the problem?
> >>>>>
> >>>>> Some peculiarities of the trace:
> >>>>> Heavy usage of HTTP/1.1 pipelining
> >>>>> While Wireshark and the Snort DAQ tell me they processed 13 packets,
> >>>>> HTTP inspect tells me it processed 17 packets.
> >>>>> This trace contains checksum errors and a tcp RST in the last packet.
> >>>>>
> >>>>> I am using Snort 2.9.9.0 with snort.conf from tarball and "-k none"
> switch.
> >>>>>
> >>>>> I would be happy to share the trace, but for privacy reasons I don't
> >>>>> want to do that on the list. In case someone wants to take a look,
> just
> >>>>> drop me a mail.
> >>>>>
> >>>>> thanks and greetings
> >>>>>
> >>>>>
> >>>>> ------------------------------------------------------------
> ------------------
> >>>>> Check out the vibrant tech community on one of the world's most
> >>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net <javascript:;>
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>>>>
> >>>>> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 9 Feb 2017 12:21:30 -0500
> From: wkitty42 at ...14940... <javascript:;>
> Subject: Re: [Snort-users] (no subject)
> To: snort-users at lists.sourceforge.net <javascript:;>
> Message-ID: <174d993d-9181-6883-df59-6cd596751bf3 at ...14940...
> <javascript:;>>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 02/08/2017 10:42 PM, Al Lewis (allewi) wrote:
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> i wonder sometimes if there should be a bot to react to these and post
> these
> responses back to the users... but then i think about how that might be
> abused
> and say, "nah"...
>
> the real interesting question is why, all of a sudden, are all these
> requests
> coming in? what has happened to cause this where folks just can't or don't
> seem
> to know how to do it themselves?
>
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 9 Feb 2017 13:21:56 -0500
> From: Russ <rucombs at ...589... <javascript:;>>
> Subject: Re: [Snort-users] (no subject)
> To: wkitty42 at ...14940... <javascript:;>,
> snort-users at lists.sourceforge.net <javascript:;>
> Message-ID: <8f2e850b-703c-8c37-c111-8b74fb65dc31 at ...589... <javascript:;>
> >
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> Seems like they must be trolling us.  :)  My recommendation is to filter
> out / ignore all such messages.  If they really want to unsubscribe,
> they will figure it out.  Do not reply!
>
> On 2/9/17 12:21 PM, wkitty42 at ...14940... <javascript:;> wrote:
> > On 02/08/2017 10:42 PM, Al Lewis (allewi) wrote:
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >
> > i wonder sometimes if there should be a bot to react to these and post
> these
> > responses back to the users... but then i think about how that might be
> abused
> > and say, "nah"...
> >
> > the real interesting question is why, all of a sudden, are all these
> requests
> > coming in? what has happened to cause this where folks just can't or
> don't seem
> > to know how to do it themselves?
> >
> >
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 9 Feb 2017 13:43:52 -0500
> From: wkitty42 at ...14940... <javascript:;>
> Subject: Re: [Snort-users] (no subject)
> To: snort-users at lists.sourceforge.net <javascript:;>
> Message-ID: <e5258794-954c-5dde-2963-b1f34aa22747 at ...14940...
> <javascript:;>>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 02/09/2017 01:21 PM, Russ wrote:
> > Seems like they must be trolling us.  :)  My recommendation is to filter
> > out / ignore all such messages.  If they really want to unsubscribe,
> > they will figure it out.  Do not reply!
>
>
> hahaha, i hear ya! :lol:
>
> however, i'm on some 15 or 20 mailing lists and they are all being hit by
> these
> "unsubscribe me" requests... it is hard to imagine that this is some new
> vector
> being used to try to infest systems but...
>
>
> > On 2/9/17 12:21 PM, wkitty42 at ...14940... <javascript:;> wrote:
> >> On 02/08/2017 10:42 PM, Al Lewis (allewi) wrote:
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>
> >> i wonder sometimes if there should be a bot to react to these and post
> these
> >> responses back to the users... but then i think about how that might be
> abused
> >> and say, "nah"...
> >>
> >> the real interesting question is why, all of a sudden, are all these
> requests
> >> coming in? what has happened to cause this where folks just can't or
> don't seem
> >> to know how to do it themselves?
>
>
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 10 Feb 2017 00:53:43 +0000
> From: "Joel Esler (jesler)" <jesler at ...589... <javascript:;>>
> Subject: Re: [Snort-users] (no subject)
> To: Johnny Green <johnny.b.green1 at ...11827... <javascript:;>>
> Cc: "Snort-users at lists.sourceforge.net <javascript:;>"
>         <Snort-users at lists.sourceforge.net <javascript:;>>
> Message-ID: <25EF2EB8-0389-41CF-99EE-308ACF0C3ED0 at ...589... <javascript:;>
> >
> Content-Type: text/plain; charset="utf-8"
>
> 2000+ new users in the last month?  People don?t know how to read footers?
>
>
> --
> Joel Esler | Talos: Manager | jesler at ...589... <javascript:;><mailto:
> jesler at ...589... <javascript:;>>
>
>
>
>
>
>
> On Feb 8, 2017, at 9:48 PM, Johnny Green <johnny.b.green1 at ...11827...
> <javascript:;><mailto:johnny.b.green1 at ...11827... <javascript:;>>> wrote:
>
> Remove  from list
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org<http://SlashDot.org>!
> http://sdm.link/slashdot_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net <javascript:;><mailto:
> Snort-users at lists.sourceforge.net <javascript:;>>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 129, Issue 18
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170211/d7e84e05/attachment.html>


More information about the Snort-users mailing list