No subject

Thu Nov 23 16:36:19 EST 2017

nc 80
  < My server on port 80
  > GET /php.cgi
  < Here is a long listing of files
  < drwxr-xr-x  2 root  wheel      512 Jun 11 06:17 aout
  < drwxr-xr-x  3 root  wheel      512 Aug  7 15:02 compat
  < -r--r--r--  1 root  wheel     1417 Jun 11 06:17 crt1.o
    <...several lines are cut...>
  < -r--r--r--  1 root  wheel     6424 Jun 11 06:18
  < -r--r--r--  1 root  wheel     4828 Jun 11 06:18
  > qwertyqwertyqwertyqwertyqwertyqwerty
  < Now that should have triggered a couple of packets

Strange thing #1:
In my snort-tcpdump-file I get _one_ packet with the payload of both the
"GET /php.cgi" and the "qwertyqwertyqwertyqwertyqwertyqwerty" packets.
I thought snort dumped the packets exactly as is, but apparently that is
not so. This might confuse the person debugging the packets found in the
tcpdump-file since they aren't exact copies of the original packets.

Strange thing #2, and this is the critical one:
The first responses, "Here is a long listing of files" and the file
listing, are _not_ logged. This is not good since this reply is exactly
what I'm interested in and want to be logged.

If I expand the string "qwertyqwertyqwertyqwertyqwertyqwerty" to be
about 20 times longer, at least the message "Now that should have
triggered a couple of packets" is logged, but the first "Here is a long
listing of files" and the file listing are still missing.

After the packet or packets that belong to my port 80 session to machine
A, I also get a lot of logged packets for other activity (ssh) to/from
this machine. This is correct since my rule was set to tag on 'host' with
the 'dst' IP as its criteria.

Strange thing #3 (a bug in snort?):
The first packet in the tcpdump-file, the one matching "/php.cgi", has a
timestamp of 12:16:36. The last packet in the file has a timestamp of
12:24:34. This is far longer than the 30 seconds I specified.

Question #1:
Will the database plugin support logging tagged packets to a database, or
will just the first packet be logged as it currently does?

I run snort like this:
snort -D -q -L snort.tcpdump -l /var/log/snort -c /etc/snort.conf -i ed1

var HOME_NET any
var RULE_PATH /var/snort
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 snort.portscan
preprocessor portscan-ignorehosts: $DNS_SERVERS
output database: alert, mysql, user=sentor password=pw dbname=snort host= sensor_name=nids1
output alert_fast: snort.alert
include /etc/snort-classification.config
include $RULE_PATH/web-cgi.rules
config alert_with_interface_name
config umask: 022
config checksum_mode: none
config show_year
config stateful

The output from machine B, running nc and sending "GET /php.cgi" and

The tcpdump-file:

The tcpdump-file decoded to hex and ASCII:

More information about the Snort-users mailing list