Snort mailing list archives
Re: Analyzing SNORT output and Alerts in Kiwi Syslog
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 4 Jan 2011 15:22:23 -0500
On Wed, Dec 22, 2010 at 10:33 AM, Matt Lenco <mattlenco () yahoo com> wrote:
What can be deduced from the data below? SNORT processed 1400 pcap files pulled from http packet captures on a DMZ. There were 106 log files, where the following files had these recurring sessions appearing when opened in Wireshark: TLSv1 Encrypted Handshake Message, Change Cipher, Encrypted Handshake Message. TCP TCP Segment of a reassembled PDU. Kiwi syslog reported 40 Alerts 3 were Shellcode x86 Setuid 0 Classification: A system call was detected. 37 Oracle BEA Weblogic Server Plug-Ins Certificate overflow attempt: Classification: Attempted User Priviledge Gain
Snort reported 346 alerts:
Alerts: 346 ( 0.000%)
So you should look into those. Also, there are a lot of TCP discards that
should be investigated. Try enabling
config autogenerate_preprocessor_decoder_rules
and rerunning.
SNORT Results
===============================================================================
Packet I/O Totals:
Received: 151285415
Analyzed: 151285415 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 151617033 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 151617033 (100.000%)
Frag: 7 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 151617026 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 189 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 189 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 6785 ( 0.004%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 129977 ( 0.086%)
S5 G 2: 201641 ( 0.133%)
Total: 151617033
===============================================================================
Action Stats:
Alerts: 346 ( 0.000%)
Logged: 346 ( 0.000%)
Passed: 0 ( 0.000%)
Match Limit: 0
Queue Limit: 0
Log Limit: 0
Event Limit: 0
Verdicts:
Allow: 151285415 (100.000%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 7
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 7
FragTrackers Dumped: 7
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 7
Frag Nodes Deleted: 7
===============================================================================
Stream5 statistics:
Total sessions: 1859825
TCP sessions: 1859825
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 1840548
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 1890730
TCP StreamTrackers Deleted: 1890730
TCP Timeouts: 50167
TCP Overlaps: 24964
TCP Segments Queued: 7580674
TCP Segments Released: 7580674
TCP Rebuilt Packets: 4038193
TCP Segments Used: 5161142
TCP Discards: 2413732
TCP Gaps: 388467
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 113115
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 151278434
UDP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 21
GET methods: 38434
HTTP Request Headers extracted: 38442
HTTP Request cookies extracted: 18849
Post parameters extracted: 6
HTTP Response Headers extracted: 0
HTTP Response cookies extracted: 0
Unicode: 425
Double unicode: 0
Non-ASCII representable: 4527
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 34
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 0
Gzip Compressed Data Processed: n/a
Gzip Decompressed Data Processed: n/a
Total packets processed: 47067632
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 0
===============================================================================
SSL Preprocessor:
SSL packets decoded: 15148326
Client Hello: 2764532
Server Hello: 2410200
Certificate: 599655
Server Done: 4641908
Client Key Exchange: 411885
Server Key Exchange: 1467
Change Cipher: 4518835
Finished: 0
Client Application: 1990154
Server Application: 1235042
Alert: 32749
Unrecognized records: 6209117
Completed handshakes: 0
Bad handshakes: 16439
Sessions ignored: 1232299
Detection disabled: 27270
===============================================================================
Snort exiting
Thanks!
Matt
------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months. Over 3 million businesses have gone Google with Google
Apps:
an online email calendar, and document program that's accessible from your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Analyzing SNORT output and Alerts in Kiwi Syslog Russ Combs (Jan 04)