Home page logo
/

snort logo Snort mailing list archives

Analyzing SNORT output and Alerts in Kiwi Syslog
From: Matt Lenco <mattlenco () yahoo com>
Date: Wed, 22 Dec 2010 07:33:33 -0800 (PST)

What can be deduced from the data below?

SNORT processed 1400 pcap files pulled from http packet captures on a DMZ.

There were 106 log files, where the following files had these recurring sessions 
appearing when opened in Wireshark:
TLSv1 Encrypted Handshake Message, Change Cipher, Encrypted Handshake Message.
TCP TCP Segment of a reassembled PDU.

Kiwi syslog reported 40 Alerts
3 were Shellcode x86 Setuid 0 Classification: A system call was detected.
37 Oracle BEA Weblogic Server Plug-Ins Certificate overflow attempt: 
Classification: Attempted User Priviledge Gain

SNORT Results
===============================================================================
Packet I/O Totals:
   Received:    151285415
   Analyzed:    151285415 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:    151617033 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:    151617033 (100.000%)
       Frag:            7 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:    151617026 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
      EAPOL:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:          189 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:          189 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:         6785 (  0.004%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:       129977 (  0.086%)
     S5 G 2:       201641 (  0.133%)
      Total:    151617033
===============================================================================
Action Stats:
     Alerts:          346 (  0.000%)
     Logged:          346 (  0.000%)
     Passed:            0 (  0.000%)
Match Limit:            0
Queue Limit:            0
  Log Limit:            0
Event Limit:            0
Verdicts:
      Allow:    151285415 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
===============================================================================
Frag3 statistics:
        Total Fragments: 7
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 7
    FragTrackers Dumped: 7
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 7
     Frag Nodes Deleted: 7
===============================================================================
Stream5 statistics:
            Total sessions: 1859825
              TCP sessions: 1859825
              UDP sessions: 0
             ICMP sessions: 0
                TCP Prunes: 1840548
                UDP Prunes: 0
               ICMP Prunes: 0
TCP StreamTrackers Created: 1890730
TCP StreamTrackers Deleted: 1890730
              TCP Timeouts: 50167
              TCP Overlaps: 24964
       TCP Segments Queued: 7580674
     TCP Segments Released: 7580674
       TCP Rebuilt Packets: 4038193
         TCP Segments Used: 5161142
              TCP Discards: 2413732
                  TCP Gaps: 388467
      UDP Sessions Created: 0
      UDP Sessions Deleted: 0
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 113115
           Internal Events: 0
           TCP Port Filter
                   Dropped: 0
                 Inspected: 0
                   Tracked: 151278434
           UDP Port Filter
                   Dropped: 0
                 Inspected: 0
                   Tracked: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         21
    GET methods:                          38434
    HTTP Request Headers extracted:       38442
    HTTP Request cookies extracted:       18849
    Post parameters extracted:            6
    HTTP Response Headers extracted:      0
    HTTP Response cookies extracted:      0
    Unicode:                              425
    Double unicode:                       0
    Non-ASCII representable:              4527
    Base 36:                              0
    Directory traversals:                 0
    Extra slashes ("//"):                 34
    Self-referencing paths ("./"):        0
    HTTP Response Gzip packets extracted: 0
    Gzip Compressed Data Processed:       n/a
    Gzip Decompressed Data Processed:     n/a
    Total packets processed:              47067632
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 0
===============================================================================
SSL Preprocessor:
   SSL packets decoded: 15148326
          Client Hello: 2764532
          Server Hello: 2410200
           Certificate: 599655
           Server Done: 4641908
   Client Key Exchange: 411885
   Server Key Exchange: 1467
         Change Cipher: 4518835
              Finished: 0
    Client Application: 1990154
    Server Application: 1235042
                 Alert: 32749
  Unrecognized records: 6209117
  Completed handshakes: 0
        Bad handshakes: 16439
      Sessions ignored: 1232299
    Detection disabled: 27270
===============================================================================
Snort exiting

Thanks!
Matt


      
------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your 
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
  • Analyzing SNORT output and Alerts in Kiwi Syslog Matt Lenco (Dec 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault