Snort mailing list archives
Re: why UDP disc acquire?
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sat, 25 Jun 2016 13:36:54 +0000
See below.. This is with the conf and pcap attached. It alerts as expected and UDP traffic isn’t discarded.
cliffjumper$ ./bin/snort -c etc/ISAKMP-ISSUE.conf -r etc/ISAKMP-ISSUE-2.pcap -Acmg -H -U -k none -q
06/21-12:36:53.127741 [**] [1:1000001:1] DOS Nbisakmp [**] [Priority: 0] {UDP} 10.0.0.1:500 -> 10.0.0.2:500
06/21-12:36:53.127741 C2:00:57:75:00:00 -> C2:01:57:75:00:00 type:0x800 len:0xBE
10.0.0.1:500 -> 10.0.0.2:500 UDP TTL:255 TOS:0xC0 ID:101 IpLen:20 DgmLen:176
Len: 148
CF 02 32 6F 14 A9 5B 93 00 00 00 00 00 00 00 00 ..2o..[.........
01 10 02 00 00 00 00 00 00 00 00 94 0D 00 00 3C ...............<
00 00 00 01 00 00 00 01 00 00 00 30 01 01 00 01 ...........0....
00 00 00 28 01 01 00 00 80 01 00 07 80 0E 00 80 ...(............
80 02 00 02 80 04 00 01 80 03 00 01 80 0B 00 01 ................
00 0C 00 04 00 01 51 80 0D 00 00 14 43 9B 59 F8 ......Q.....C.Y.
BA 67 6C 4C 77 37 AE 22 EA B8 F5 82 0D 00 00 14 .glLw7."........
7D 94 19 A6 53 10 CA 6F 2C 17 9D 92 15 52 9D 56 }...S..o,....R.V
00 00 00 14 90 CB 80 91 3E BB 69 6E 08 63 81 B5 ........>.in.c..
EC 42 7B 1F .B{.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
cliffjumper$ cat etc/ISAKMP-ISSUE.conf | grep sid:1
alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; sid:1000001; rev:1;)
cliffjumper$ ./bin/snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.8.2 GRE (Build 335)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3 - Apple version 54
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.5
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: allewi <allewi () cisco com<mailto:allewi () cisco com>>
Date: Saturday, June 25, 2016 at 9:22 AM
To: Andrei_1980 <andrei_1980 () mail ru<mailto:andrei_1980 () mail ru>>, 'snort-users' <snort-users () lists
sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] why UDP disc acquire?
You may need to adjust your wireshark settings. Wireshark lists them as “malformed ISAKMP” packets.
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Andrei_1980 <andrei_1980 () mail ru<mailto:andrei_1980 () mail ru>>
Date: Saturday, June 25, 2016 at 5:01 AM
To: allewi <allewi () cisco com<mailto:allewi () cisco com>>, 'snort-users' <snort-users () lists sourceforge
net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] why UDP disc acquire?
Why you think that udp packet malformed? Tools like wireshark, tcpdump and tcpreplay handle it correctly. This packets
have only wrong checksum, but i disable checksum control in Snort by using option "-k none".
24.06.2016 19:05, Al Lewis (allewi) пишет:
It looks like snort is discarding them because they are all malformed.
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: <mailto:allewi () cisco com> allewi () cisco com<mailto:allewi () cisco com>
From: Andrei_1980 <<mailto:andrei_1980 () mail ru>andrei_1980 () mail ru<mailto:andrei_1980 () mail ru>>
Date: Friday, June 24, 2016 at 11:28 AM
To: allewi <<mailto:allewi () cisco com>allewi () cisco com<mailto:allewi () cisco com>>, 'snort-users' <snort-users ()
lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] why UDP disc acquire?
hmm, strange. I,m attach pcap to first message. Ok reatach to this message.
On 24.06.2016 18:22, Al Lewis (allewi) wrote:
Hello,
Can you provide us with the pcap or a sample of it?
Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: <mailto:allewi () cisco com> allewi () cisco com<mailto:allewi () cisco com>
From: Andrei_1980 <andrei_1980 () mail ru<mailto:andrei_1980 () mail ru>>
Date: Friday, June 24, 2016 at 11:06 AM
To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] why UDP disc acquire?
Hi all. I use snort 2.9.8.2 A have some pcap file for old attack (see attach) . It contain only udp packets.
I wrote test rule:
alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype: attempted-dos; sid:1000001; rev:1;)
and run snort:
snort -c ./etc/snort.conf -A console -K none -k none -r ./pcaps/DOS_Nbisakmp.pcap
and get no alerts. In output stats i have:
...........
Packet I/O Totals:
Received: 100
Analyzed: 100 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
.....................
Breakdown by protocol (includes rebuilt packets):
Eth: 100 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 100 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 100 (100.000%)
...................
UDP Disc: 100 (100.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 100 (100.000%)
(full output and snort.conf see in attach)
If i change rule (udp to ip) :
alert ip any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype: attempted-dos; sid:1000001; rev:1;)
all packets generate alerts.
So, why UDP packets in sample pcap discarded if i use udp protocol in alert?
Attachment:
ISAKMP-ISSUE.conf
Description: ISAKMP-ISSUE.conf
Attachment:
ISAKMP-ISSUE-2.pcap
Description: ISAKMP-ISSUE-2.pcap
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- why UDP disc acquire? Andrey Kiryukhin (Jun 24)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 24)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 25)
- Re: why UDP disc acquire? wkitty42 (Jun 25)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 25)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 25)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 25)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 24)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)