Snort mailing list archives

Re: [Snort 2.2.0] Rules won't trigger

From: Alex Kirk <alex.kirk () sourcefire com>
Date: Thu, 20 Jan 2005 09:35:08 -0500

Edin,

I've got a couple of thoughts on this.

First off, it makes sense that you're seeing the "GOT IT!" alerts: withthe way you've configured $HOME_NET and $EXTERNAL_NET, the box at172.16.0.1 is part of $EXTERNAL_NET and 172.16.0.254 is in $HOME_NET,and thus any traffic from .1 going to .254 on the MySQL port willtrigger that rule. I should ask you, though: since 172.16.0.0/24 is anon-routable IP address range, is there any reason you're putting hostswithin that range in $EXTERNAL_NET (which has happened simply becausethey're not in $HOME_NET)? If you have regularly used machines on thatsubnet, you may be prone to a lot of false positives -- there are a fairnumber of rules that alert on things that are very regular within aninternal network, but that signify a potential problem if they're comingfrom the Internet at large. For example, the triggering conditions forSID 533, which looks for someone accessing a Windows share of "C$",could happen hundreds of times daily within a protected network, butshouldn't ever be coming in from the Internet, and may signify anattacker looking for poorly configured Windows/Samba boxes if they arecoming in from the Net.

As for SID 1775, the issue is probably that the content-match isn'tquite right (MySQL may have changed the data they send to log in, or youmay be using a method to log in that is different from what was used tocreate the content-match for the rule). It's also possible that the datafor the content-match spanned multiple packets and was not reassembled,since the MySQL port is not covered by stream4 by default; however, thisseems unlikley, since login data generally is small and doesn't spanpackets. Again, though, since 172.16.0.1 is in all likelihood internalto your network, I wonder why you've put this rule in local.rules: doyou really want an alert every time the DBA logs in as root to domaintenance? Or do you mean to just look for root login attempts fromthe Internet at large, to check for intrusions?

In any case, could you send a pcap of one of these logins? If I couldsee exactly what's being sent across the wire when you do this, it wouldbe very helpful in terms of pinpointing the problem, and updating ourrules if necessary.


Thanks,
Alex Kirk
Research Analyst
Sourcefire, Inc.

Hithere!
I have a problem I cannot find the error in my config. However, ruleswon't trigger for some reason. Would somebody please be so kind totake a look and open my eyes. Thx in advance.
Snort is 2.2.0 started for the test like this:

snort -c snort.conf_eth1 -i eth1 -A console -N

I have these rules:
alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root loginattempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 0000 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)

Then I try to login as MySQWL-root from another machine:

$ mysql -h 172.16.0.254 -u root -p

->
01/20/05-11:33:39.774072 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:330601/20/05-11:33:39.774190 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:330601/20/05-11:33:39.774707 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:330601/20/05-11:33:39.774980 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:330601/20/05-11:33:39.775335 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:40125 -> 172.16.0.254:3306
Can anybody please explain this to me?

Thx & regards,
Edin

The config file:

var HOME_NET [172.16.0.254/32,10.0.0.0/24]

var EXTERNAL_NET !$HOME_NET

var HTTP_SERVERS [172.16.0.254/32,10.0.0.0/24]
var SQL_SERVERS [172.16.0.254/32]
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var RULE_PATH ./snortrules
preprocessor frag2: timeout 60, memcap 8388608
preprocessor stream4: disable_evasion_alerts, timeout 120, memcap33554432
preprocessor stream4_reassemble: both, ports 22 25 53 80 3306
preprocessor flow: stats_interval 0 hash 2
output log_unified: filename unified.log, limit 512
output alert_unified: filename unified.alert, limit 512
config set_gid: snort
config interface: eth1
config alert_with_interface_name
config disable_decode_alerts
config logdir: /var/log/snort
config umask: 027
config set_uid: snort
config show_year
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method lowmem
config threshold: memcap 8388608
config checksum_mode: none
include classification.config
include reference.config
include $RULE_PATH/local.rules

local.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"GOT IT!";)
alert tcp 172.16.0.1 any -> 172.16.0.254 3306 (msg:"MYSQL root loginattempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 0000 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
Full log:

[root@victim snort]# snort -c snort.conf_eth1 -i eth1 -A console -N
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth1

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file snort.conf_eth1

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
[*] Frag2 config:
    Fragment timeout: 60 seconds
    Fragment memory cap: 8388608 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    State Protection: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 120 seconds
    Session memory cap: 33554432 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 22 25 53 80 3306
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
command line overrides rules file logging plugin!
command line overrides rules file alert plugin!

Initializing Network Interface eth1
Found logdir config directive (/var/log/snort)
Detection:
   Search-Method = Low-Mem Trie
2 Snort rules read...
2 Option Chains linked into 2 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 8388608 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
01/20/05-11:40:24.597428 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:330601/20/05-11:40:24.597536 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:330601/20/05-11:40:24.598304 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:330601/20/05-11:40:24.598622 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:330601/20/05-11:40:24.599022 [**] [1:0:0] <eth1> GOT IT! [**] [Priority:0] {TCP} 172.16.0.1:39948 -> 172.16.0.254:3306




-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

[Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Alex Kirk (Jan 20)
- Re: [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 31)
- <Possible follow-ups>
- RE: [Snort 2.2.0] Rules won't trigger Joshua Berry (Jan 20)
  - Re: [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 20)
    - Re: [Snort 2.2.0] Rules won't trigger Alex Kirk (Jan 20)
    - Re: [Snort 2.2.0] Rules won't trigger Edin Dizdarevic (Jan 20)