Snort mailing list archives
Re: Snort not seeing all traffic
From: Todd Wease <twease () sourcefire com>
Date: Thu, 12 Feb 2009 12:25:29 -0500
Hi Jimmy, Looks like you might be sending traffic from the same box as Snort is running on and TCP checksum offloading is occurring. I noticed this from the stats: InvChkSum: 627722 (68.997%) That's alot of invalid checksums. Try adding "-k none" to your command line while testing. This will disable Snort checking checksums. Todd Jimmy Tharel wrote:
Initially I thought I had a problem with a rule that I wrote but it
appears Snort isn't seeing all of the data coming over the wire. I
wrote a simple rule:
alert tcp <my ip> any <> any any (msg:"Jimmy - Test rule";
classtype:attempted-dos; sid:2000000; rev:1;)
I sent 50 packets across the wire and Snort only picked up 10 of them
and alerted. I had tcpdump running at the same time and it picked up
all of them.
I'm currently running 2.8.3.2. It doesn't look like I'm dropping
packets (especially since tcpdump sees the traffic, and the snort
output shows very little packet loss), my cpu and memory are not be
taxed at all. Currently I only have the one rule enable plus the
preprocessors.
Does anybody have any idea what could be happening? If you need any
more info I will be happy to share it.
Below are my snort.conf and the output of Snort running for a brief
period of time when the 50 packets where sent.
Here is my snort.conf:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS [10.196.4.1,10.196.4.2]
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS
[10.196.2.102,10.196.2.103,10.196.2.105,10.196.2.132,10.196.2.133,10.185.9.42,10.185.9.43,10.185.9.44,10.185.9.56,10.185.9.57,10.196.2.93,10.196.2.94,10.196.2.137,10.185.9.77,10.185.9.78,10.185.9.85,10.185.9.86,10.185.8.18,10.185.8.19]
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500 \
no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include classification.config
include reference.config
include $RULE_PATH/local.rules
include threshold.conf
Here is the output of Snort:
un time prior to being shutdown was 28.595880 seconds
===============================================================================
Packet Wire Totals:
Received: 908053
Analyzed: 907663 (99.957%)
Dropped: 380 (0.042%)
Outstanding: 10 (0.001%)
===============================================================================
Breakdown by protocol (includes rebuilt packets):
ETH: 909784 (100.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 907996 (99.803%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 901746 (99.116%)
UDP: 3110 (0.342%)
ICMP: 1007 (0.111%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 506 (0.056%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 1294 (0.142%)
DISCARD: 0 (0.000%)
InvChkSum: 627722 (68.997%)
S5 G 1: 0 (0.000%)
S5 G 2: 2121 (0.233%)
Total: 909784
===============================================================================
Action Stats:
ALERTS: 10
LOGGED: 10
PASSED: 0
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 15463
TCP sessions: 15463
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 15463
TCP StreamTrackers Deleted: 15463
TCP Timeouts: 0
TCP Overlaps: 1
TCP Segments Queued: 8631
TCP Segments Released: 8631
TCP Rebuilt Packets: 4075
TCP Segments Used: 4260
TCP Discards: 19042
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 1042
GET methods: 1305
Headers extracted: 2342
Header Cookies extracted: 821
Post parameters extracted: 15
Unicode: 0
Double unicode: 0
Non-ASCII representable: 171
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 26
Self-referencing paths ("./"): 0
Total packets processed: 218047
===============================================================================
SSL Preprocessor:
SSL packets decoded: 1523
Client Hello: 12
Server Hello: 24
Certificate: 1
Server Done: 85
Client Key Exchange: 6
Server Key Exchange: 0
Change Cipher: 108
Finished: 0
Client Application: 30
Server Application: 273
Alert: 9
Unrecognized records: 1169
Completed handshakes: 2
Bad handshakes: 0
Sessions ignored: 5
Detection disabled: 0
===============================================================================
Snort exiting
------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not seeing all traffic Jimmy Tharel (Feb 12)
- Re: Snort not seeing all traffic Joel Esler (Feb 12)
- Re: Snort not seeing all traffic Todd Wease (Feb 12)
- Re: Snort not seeing all traffic Jack Pepper (Feb 12)