Snort mailing list archives
Snort only partially alerting
From: Frank Calone <fc10011001 () gmail com>
Date: Fri, 21 Jun 2013 11:01:06 -0400
1) In my continuing efforts to figure out why Snort misses nearly all of
the exe downloads I performed a TCPDUMP on the same interface to ensure the
traffic is there that I am expecting to have Snort alert on. Here is the
latest. I had TCPDUMP already installed on our Centos system and so I
enabled packet capture with the following command:
tcpdump -i p1p1 -N -w tcpdump.jun20.v3.pcap src 15.8.5.18 or dst 15.8.5.18
2) I started snort as follows:
/usr/sbin/snort -A fast -d -i p1p1 -u snort -g snort -c
/etc/snort/snort1.conf -l /var/log/snort2 -G 1
3) I then downloaded putty.exe from www.chiark.greenend.org.uk.
4) I then aborted both TCPDUMP and SNORT. I checked the alert file in
/var/log/snort2 to see if an alert showed up. No hits.
5) I ran the tcpdump.jun20.v3.pcap file thru snort as follows:
snort -dvr tcpdump.jun20.v3.pcap > testtcpd.jun20.v3
6) I reviewed the file (testtcpd.jun20.v3) and found this entry showing
the network tap indeed is working fine as the Snort "content" string search
value (This program cannot be run in DOS mode) is plainly visible:
06/20-13:47:35.769947 46.43.34.31:80 -> 15.8.5.18:56416 TCP TTL:50 TOS:0x0
ID:61603 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x3940EBD2 Ack: 0x51CD46B3 Win: 0x42 TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
0A 44 61 74 65 3A 20 54 68 75 2C 20 32 30 20 4A .Date: Thu, 20 J
75 6E 20 32 30 31 33 20 31 37 3A 34 37 3A 33 35 un 2013 17:47:35
20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap
61 63 68 65 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 ache..Last-Modif
69 65 64 3A 20 53 61 74 2C 20 31 30 20 44 65 63 ied: Sat, 10 Dec
20 32 30 31 31 20 31 33 3A 33 38 3A 33 37 20 47 2011 13:38:37 G
4D 54 0D 0A 45 54 61 67 3A 20 22 31 36 34 30 34 MT..ETag: "16404
30 37 2D 37 36 30 30 30 2D 34 62 33 62 64 30 34 07-76000-4b3bd04
63 34 33 31 34 30 22 0D 0A 41 63 63 65 70 74 2D c43140"..Accept-
52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43 Ranges: bytes..C 6F 6E 74
65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34 ontent-Length: 4
38 33 33 32 38 0D 0A 4B 65 65 70 2D 41 6C 69 76 83328..Keep-Aliv
65 3A 20 74 69 6D 65 6F 75 74 3D 31 35 2C 20 6D e: timeout=15, m
61 78 3D 39 39 0D 0A 43 6F 6E 6E 65 63 74 69 6F ax=99..Connectio 6E 3A 20
4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 n: Keep-Alive..C 6F 6E 74 65 6E 74
2D 54 79 70 65 3A 20 61 70 70 ontent-Type: app 6C 69 63 61 74 69 6F 6E 2F
78 2D 6D 73 64 6F 73 lication/x-msdos 2D 70 72 6F 67 72 61 6D 0D 0A 0D 0A
4D 5A 90 00 -program....MZ..
03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 ................
00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 ....@...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E ................
00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 ....!..L.!This p
72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 rogram cannot be
20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 run in DOS mode
2E 0D 0D 0A 24 00 00 00 00 00 00 00 6D 1F 98 6B ....$.......m..k
29 7E F6 38 29 7E F6 38 29 7E F6 38 3A 76 9F 38 )~.8)~.8)~.8:v.8 2B 7E F6
38 2C 72 96 38 2B 7E F6 38 2C 72 F9 38 +~.8,r.8+~.8,r.8
32 7E F6 38 3A 76 AB 38 2B 7E F6 38 D3 5D EF 38 2~.8:v.8+~.8.].8 2D 7E F6
38 AA 76 AB 38 38 7E F6 38 29 7E F7 38 -~.8.v.88~.8)~.8
04 7F F6 38 2C 72 A9 38 95 7E F6 38 C5 75 A8 38 ...8,r.8.~.8.u.8
28 7E F6 38 2C 72 AC 38 28 7E F6 38 52 69 63 68 (~.8,r.8(~.8Rich
29 7E F6 38 00 00 00 00 00 00 00 00 00 00 00 00 )~.8............
7) Here is the output when I aborted the Snort process (run in foreground)
Packet I/O Totals:
Received: 1278250
Analyzed: 1278244 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 6 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 1281819 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 1281734 ( 99.993%)
Frag: 58 ( 0.005%)
ICMP: 901 ( 0.070%)
UDP: 35748 ( 2.789%)
TCP: 922437 ( 71.963%)
IP6: 32 ( 0.002%)
IP6 Ext: 32 ( 0.002%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 32 ( 0.002%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 8 ( 0.001%)
ICMP-IP: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 24 ( 0.002%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 18 ( 0.001%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 322566 ( 25.165%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 322566 ( 25.165%)
Other: 67 ( 0.005%)
Bad Chk Sum: 326 ( 0.025%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 2314 ( 0.181%)
S5 G 2: 1261 ( 0.098%)
Total: 1281819
===============================================================================
Action Stats:
Alerts: 0 ( 0.000%)
Logged: 0 ( 0.000%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 1189531 ( 93.059%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 88713 ( 6.940%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 58
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 58
FragTrackers Dumped: 58
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 58
Frag Nodes Deleted: 58
===============================================================================
Stream5 statistics:
Total sessions: 24790
TCP sessions: 19331
UDP sessions: 5459
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 19522
TCP StreamTrackers Deleted: 19522
TCP Timeouts: 0
TCP Overlaps: 39
TCP Segments Queued: 115887
TCP Segments Released: 115887
TCP Rebuilt Packets: 39102
TCP Segments Used: 95388
TCP Discards: 262728
TCP Gaps: 6707
UDP Sessions Created: 5459
UDP Sessions Deleted: 5459
UDP Timeouts: 0
UDP Discards: 0
Events: 133590
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 918536
UDP Port Filter
Dropped: 0
Inspected: 24930
Tracked: 5459
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 172
GET methods: 12647
HTTP Request Headers extracted: 12858
HTTP Request Cookies extracted: 6798
Post parameters extracted: 171
HTTP response Headers extracted: 9755
HTTP Response Cookies extracted: 1380
Unicode: 247
Double unicode: 0
Non-ASCII representable: 15
Directory traversals: 0
Extra slashes ("//"): 2237
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 1457
Gzip Compressed Data Processed: 3087532.00
Gzip Decompressed Data Processed: 9451498.00
Total packets processed: 377200
===============================================================================
SMTP Preprocessor Statistics
Total sessions : 28
Max concurrent sessions : 3
Base64 attachments decoded : 2
Total Base64 decoded bytes : 1676
Quoted-Printable attachments decoded : 3
Total Quoted decoded bytes : 1133
UU attachments decoded : 0
Total UU decoded bytes : 0
Non-Encoded MIME attachments extracted : 10
Total Non-Encoded MIME bytes extracted : 2066
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 300
Total sessions autodetected: 124
Total sessions aborted: 164
Transports
SMB
Total sessions: 117
Packet stats
Packets: 218
Ignored bytes: 2635
Not NBSS Session Message: 2
Not IPC packets (after tree connect): 1
Maximum outstanding requests: 1
SMB command requests/responses processed
Negotiate (0x72) : 85/37
Session Setup AndX (0x73) : 2/2
Tree Connect AndX (0x75) : 1/1
TCP
Total sessions: 183
Packet stats
Packets: 2538
DCE/RPC
Connection oriented
Packet stats
PDUs: 2538
Bind: 136
Bind Ack: 136
Alter context: 68
Alter context response: 68
Request: 1057
Response: 992
Auth3: 80
Orphaned: 1
Request fragments: 1
Min fragment size: 0
Max fragment size: 0
Frag reassembled: 0
Response fragments: 0
Client PDU segmented reassembled: 0
Server PDU segmented reassembled: 0
===============================================================================
SSL Preprocessor:
SSL packets decoded: 15811
Client Hello: 2833
Server Hello: 1528
Certificate: 393
Server Done: 5354
Client Key Exchange: 1601
Server Key Exchange: 117
Change Cipher: 5428
Finished: 0
Client Application: 3061
Server Application: 1645
Alert: 622
Unrecognized records: 4780
Completed handshakes: 0
Bad handshakes: 0
Sessions ignored: 1642
Detection disabled: 301
===============================================================================
SIP Preprocessor Statistics
Total sessions: 163
SIP anomalies : 11
Requests: 0
invite: 0
cancel: 0
ack: 0
bye: 0
register: 0
options: 0
refer: 0
subscribe: 0
update: 0
join: 0
info: 0
message: 0
notify: 0
prack: 0
Responses: 0
1xx: 0
2xx: 0
3xx: 0
4xx: 0
5xx: 0
6xx: 0
7xx: 0
8xx: 0
9xx: 0
Ignore sessions: 0
Ignore channels: 0
===============================================================================
Reputation Preprocessor Statistics
Total Memory Allocated: 0
===============================================================================
Snort exiting
8) Here is the rule that should have detected this. I am only running 2
rules at this time.
alert tcp ![128.131.0.0/16] !20 -> $HOME_NET any (msg:"exe downloaded";
content:"This program cannot be run in DOS mode"; sid:1999998; rev:5;)
9) I tried running snort in the full packet logger mode (/usr/sbin/snort
-dev -i p1p1 -l /var/log/snort -h x.x.x.x/16). I immediately started
getting the following warning messages:
(snort_decoder) WARNING: IP dgm len > captured len
I then ran the binary capture thru the snort playback (-dvr option).
Looking at the packets tied to my PC, I can see that almost all of them
have a datagram length of 40. Very few packets showed up with a real
payload, certainly not enough to amount to the size of the file I
downloaded during the testing. I'm not sure if there is a config setting
or something else going wrong here such that very few packets have any real
data. Here is a sample of what I am seeing (the last two are in order they
appeared in the dump file):
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/18-16:20:19.229724 15.8.5.18:62287 -> 212.13.197.229:80
TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3279955A Ack: 0xEF27E0F7 Win: 0x4029 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/18-16:20:25.306989 212.13.197.229:80 -> 15. 8.5.18:62287
TCP TTL:44 TOS:0x0 ID:43106 IpLen:20 DgmLen:40 DF
***A***F Seq: 0xEF27E0F7 Ack: 0x3279955B Win: 0x5C TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/18-16:20:27.305825 212.13.197.229:80 -> 15.8.5.18:62285
TCP TTL:44 TOS:0x0 ID:3711 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x53804DD1 Ack: 0x77F4A813 Win: 0x5C TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/18-16:20:27.306281 15.8.5.18:62285 -> 212.13.197.229:80
TCP TTL:127 TOS:0x0 ID:9849 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x77F4A813 Ack: 0x53804DD2 Win: 0x4029 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/18-16:20:34.312205 212.13.197.229:80 -> 15.8.5.18:62286
TCP TTL:44 TOS:0x0 ID:50990 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x3FC527C5 Ack: 0xCF59BF2B Win: 0x83 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
I'm looking for suggestions on what is broken or what to try next to get
this resolved. Our server is Centos
(2.6.32-358.6.2.el6.x86_64) with 4 GB memory. I set the stream5 memcap to
1 GB (1073741824), maxtcp 393216 in the config file. Perfmon shows 90% CPU
avail and max memory used at any point of 250 MB. Snort Build shows the
following:
,,_ -*> Snort! <*-
o" )~ Version 2.9.4.5 GRE (Build 71)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Frank
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort only partially alerting Frank Calone (Jun 18)
- Re: Snort only partially alerting James Lay (Jun 18)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort only partially alerting Frank Calone (Jun 26)
- Re: Snort only partially alerting waldo kitty (Jun 26)
- Message not available
- Re: Snort only partially alerting James Lay (Jun 18)
- <Possible follow-ups>
- Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)