Home page logo
/

snort logo Snort mailing list archives

Re: Snort not logging all alerts in pcap (was Oddness with 16295)
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 15 Nov 2010 12:01:57 -0700

Hrmm.  Well, this is snort 2.9.0.1.  I've recompiled it without gre and
performance stats so we'll see what happens.

James

On 11/13/10 5:25 AM, "rmkml" <rmkml () yahoo fr> wrote:

Hi James,
It's perfect, what's pb?
If I remember correctly, snort write only one packet on pcap file for one
alert... (not stream reassembly)
What snort version you use?
Maybe snort "drop" packet? read your log for stat packets or send 'kill
-USR1 snort_pid'...
Regards
Rmkml


On Thu, 11 Nov 2010, Lay, James wrote:


OK so now I¹m sure there¹s an issue.  Below are more
examplesŠeverything is fine until alert timestamps 11/11-10:38:38.577756
and 11/11-10:38:38.818757Šthey are
simply not there in the corresponding pcap file.  My settings are as
follows:

 

output alert_fast: internetalert.fast

output log_tcpdump: internettcpdump.pcap

 

Any reason some packets aren¹t getting logged in the pcap file?  Any
pointers would be excellent.

 

James 

 

[10:45:48 jlay () goids:~/log$] sudo tail -n 20 internetalert.fast

11/11-10:26:15.284212  [**] [1:2008418:4] ET POLICY Metasploit
Framework Update [**] [Classification: Misc activity] [Priority: 3]
{TCP} 216.75.1.230:443 ->
10.21.0.9:53302

11/11-10:27:41.141234  [**] [1:15306:4] WEB-CLIENT Portable Executable
binary file transfer [**] [Classification: Misc activity] [Priority: 3]
{TCP}
68.142.93.133:80 -> 10.21.0.16:62912

11/11-10:27:58.026044  [**] [1:2406512:194] ET RBN Known Russian
Business Network IP TCP (257) [**] [Classification: Misc Attack]
[Priority: 2] {TCP}
10.21.0.16:62962 -> 85.17.84.214:80

11/11-10:30:04.970609  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 199.7.50.72:80

11/11-10:30:36.362238  [**] [1:15362:1] WEB-CLIENT obfuscated
javascript excessive fromCharCode - potential attack [**]
[Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388

11/11-10:30:44.274148  [**] [1:15362:1] WEB-CLIENT obfuscated
javascript excessive fromCharCode - potential attack [**]
[Classification: Misc activity]
[Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427

11/11-10:32:33.810911  [**] [1:15362:1] WEB-CLIENT obfuscated
javascript excessive fromCharCode - potential attack [**]
[Classification: Misc activity]
[Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450

11/11-10:34:04.413890  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 173.204.52.197:80

11/11-10:35:42.820754  [**] [1:15362:1] WEB-CLIENT obfuscated
javascript excessive fromCharCode - potential attack [**]
[Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404

11/11-10:35:49.670676  [**] [1:15362:1] WEB-CLIENT obfuscated
javascript excessive fromCharCode - potential attack [**]
[Classification: Misc activity]
[Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432

11/11-10:38:00.626191  [**] [1:2406512:194] ET RBN Known Russian
Business Network IP TCP (257) [**] [Classification: Misc Attack]
[Priority: 2] {TCP}
10.21.0.16:64881 -> 85.17.84.212:80

11/11-10:38:38.577756  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
[Classification:
Attempted Denial of Service] [Priority: 2] {TCP} 96.6.2.125:80 ->
10.21.0.16:64991

11/11-10:38:38.818757  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
[Classification:
Attempted Denial of Service] [Priority: 2] {TCP} 72.246.94.34:80 ->
10.21.0.16:64835

11/11-10:38:46.511664  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP}
10.21.0.16:65098 -> 66.220.146.32:80

11/11-10:40:49.997265  [**] [1:15362:1] WEB-CLIENT obfuscated
javascript excessive fromCharCode - potential attack [**]
[Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181

11/11-10:40:57.546175  [**] [1:15306:4] WEB-CLIENT Portable Executable
binary file transfer [**] [Classification: Misc activity] [Priority: 3]
{TCP}
207.171.185.196:80 -> 10.21.0.16:1281

11/11-10:41:42.069675  [**] [1:648:10] SHELLCODE x86 NOOP [**]
[Classification: Executable Code was Detected] [Priority: 1] {TCP}
207.171.185.196:80 ->
10.21.0.16:1493

11/11-10:43:16.912596  [**] [1:5713:3] WEB-CLIENT Windows Metafile
invalid header size integer overflow [**] [Classification: Attempted
Administrator Privilege
Gain] [Priority: 1] {TCP} 65.55.69.143:80 -> 10.21.0.16:1491

11/11-10:45:35.275018  [**] [1:15362:1] WEB-CLIENT obfuscated
javascript excessive fromCharCode - potential attack [**]
[Classification: Misc activity]
[Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634

 

From pcap file:

10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack
1538376874, win 46, options [nop,nop,TS val 285059531 ecr 843329],
length 1388

10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack
3472428307, win 65535, length 1400

10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq
3387361148, win 65535, options [mss 1460,nop,nop,sackOK], length 0

10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack
1095737173, win 65535, length 20

10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack
2060485191, win 7504, length 1400

10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack
1404174044, win 7066, length 1400

10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.],
ack 2592865250, win 1023, length 1380

10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.],
ack 87661050, win 65535, length 12

10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack
706084536, win 7504, length 1400

10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack
3592031382, win 7066, length 1400

10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq
2705613011, win 65535, options [mss 1460,nop,nop,sackOK], length 0

10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack
2665905014, win 13936, length 1400

10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack
237172578, win 65535, length 1380

10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack
1349174870, win 49664, length 1380

10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack
1907873745, win 13425, length 1400

10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack
1374951746, win 7504, length 1400

 

 

From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Thursday, November 11, 2010 10:43 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Oddness with 16295

 

BumpŠno takers on this?

 

From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Wednesday, November 10, 2010 10:52 AM
To: snort-users () lists sourceforge net
Subject: Oddness with 16295

 

So this is weirdŠ.looking at this hit:

 

11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
library heap buffer overflow - without optional fields [**]
[Classification: Attempted
User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 ->
10.21.0.16:64385

 

Fairly certain it¹s an fp, butŠwhen I hit the pcap dump file, it
doesn¹t showŠ.here¹s consecutive hits in the alert file:

 

11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file
memory corruption [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP}
67.23.129.249:80 -> 10.21.0.16:64185

11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file
memory corruption [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP}
67.23.129.249:80 -> 10.21.0.16:64185

11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
library heap buffer overflow - without optional fields [**]
[Classification: Attempted
User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 ->
10.21.0.16:64385

11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80

 

And from the pcapfile:

sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395

10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
1081895485, win 4789, length 1400

10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
1, win 4789, length 1400

10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack
2261207081, win 65535, length 536

 

So where did 16295 go?  A quick check for that IP gives nothing:

[10:48:24 jlay () goids:~/log$] sudo tcpdump -n -s 1524 -r
internettcpdump.pcap.1289401395 ip and host 204.11.109.23

reading from file internettcpdump.pcap.1289401395, link-type EN10MB
(Ethernet)

[10:50:21 jlay () goids:~/log$]

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 


-------------------------------------------------------------------------
-----
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev______________________________________
_________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]