Nick de Bruijn | 30 Mar 12:25 2015
Picon

Features of Snort

Hello Snort-Users,

For my paper I'm looking for a compleet overview of the Snort features.
So I was wondering if there is (Or if someone has) a compleet overview of the features of Snort.
This list would very much help me with my paper.  

Please let me know.

Kind regard,
Nick
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Sharif Uddin | 30 Mar 12:08 2015

snort and dhcp new devices on network

Hello

 

 

Is it possible to set up snort to monitor new devices on network using dhcp logs etc. and able to disable unknown devices?

 

 

Currently I am doing monitoring using Nagios plugin, which only just alerts us. If I can get snort to alert and disable that would be great.

 

 

If it is possible can anyone shed some light on how to do this please.

 

 

Sharif

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
mohamed elqaissy | 30 Mar 11:55 2015
Picon

Snort output problem ??

Hi all ;

I want to use Snort to do some experiments on intrusion detections. I am really new to Snort , so I learn myself through tutorials on youtube and web pages.

I wanna to make snort to detects attacks in dataset 'outside.tcpdump ' and write detection results in CSV file . now its make detection but can`t write to csv file, using this line of code :  

c:\Snort\bin>snort -r c:\outside.tcpdump -c c:\snort\etc\snort.conf -T output alert_csv: alert.csv timestamp, msg

and I get this error :

ERROR: Can't set DAQ BPF filter to 'output alert_csv: alert.csv timestamp, msg'(³>P)!
Fatal Error, Quitting..
Could not create the registry key.

any help please !


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Dani Av | 29 Mar 09:59 2015
Picon

Fwd: snort database problem



Hi guys,

I have a working snort machine(snapshot) which receives ET rules and writing to database.
But, once I restart my machine, there is no rule writing to database at all. Even not a new daily event table.

what can cause the problem after restart, what will be a suggested solution?

Thanks!
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 27 Mar 20:18 2015
Picon

Odp: Re: Odp: Re: Odp: RE: React option doesn't work

Dnia Piątek, 27 Marca 2015 20:02 Victor Roemer <viroemer <at> cisco.com> napisał(a)
> Robert,
>  
> Can you review your daq options please; looking at the README from the
> daq tar.gz, it looks like you need to add:
>  
> --daq-var device=<dev>
>  
> Here is a snippet that I am refering too
>  
> -------- 8< -------
> NFQ Module
> ==========
>  
> NFQ is the new and improved way to process iptables packets:
>  
>      ./snort --daq nfq \
>          [--daq-var device=<dev>] \
>          [--daq-var proto=<proto>] \
>          [--daq-var queue=<qid>]
>  
>      <dev> ::= ip | eth0, etc; default is IP injection
>      <proto> ::= ip4 | ip6 |; default is ip4
>      <qid> ::= 0..65535; default is 0
>  
> This module can not run unprivileged so ./snort -u -g will produce a warning
> and won't change user or group.
>  
> ----- 8< -----

Well, 
1. this Snort is working on router in inline mode, so that means it gets packets from:
$iptables -I FORWARD -p tcp --dport 80 -j QUEUE
so it needn't to set any interface 

behind this router is computer on which I'm testing 

2. besides, the same is writed here (NFQ section)
http://www.academia.edu/7084691/IPS_Packet_Acquisition_PCAP_AFPACKET_NFQ_NFQ_IPS_Action_replace

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Robert Lasota | 27 Mar 19:49 2015
Picon

Odp: Re: Odp: RE: React option doesn't work

Dnia Piątek, 27 Marca 2015 16:11 Carter Waxman (cwaxman) <cwaxman <at> cisco.com> napisał(a)
> Do you have those angle brackets in the config line? It should be
>  
> config react: /opt/etc/snort/block.html
>  
> Those options would be part of the rule, following the react keyword, but
> simply specifying react and including the "config react" line in
> snort.conf should be sufficient to show block.html.
>  

I have "config react: /opt/etc/snort/block.html" in snort.conf

The rule is (from man), and this is the only rule I have now in Snort:
drop tcp any any -> any $HTTP_PORTS ( content: "d"; msg:"Unauthorized Access Prohibited!"; react: msg; sid:4;)

block.html is:
<html>
<head>
<title>INFO</title>
</head>
<body>
<p>Access denied</p>
</body>
</html>

and nothing :(, I mean its blocking, in log is:
Mar 27 18:46:07 ip-10-192-2-120 snort[4956]: [1:4:0] Unauthorized Access Prohibited! {TCP}
10.192.1.91:54562 -> 212.77.98.9:80

but still no info page in webbrowser , just "the connection was reset"

>  
> On 3/27/15, 10:33 AM, "Robert Lasota" <wrkilu <at> wp.pl> wrote:
>  
> >Dnia Piątek, 27 Marca 2015 14:24 Al Lewis (allewi) <allewi <at> cisco.com>
> >napisał(a)
> >> That looks to be an Emerging Threat rule so you probably would want to
> >>contact them about that. There isnt a "content-list" rule option. The
> >>rule options are listed here: http://manual.snort.org/node32.html
> >> 
> >> As for the block page are you listing the page with the "config react:
> >><block.html>" in your config file? The steps are listed here
> >>http://manual.snort.org/node26.html under the "react" section.
> >> 
> >> Note that the block|warn options under react are deprecated so you may
> >>want to try removing the 'block' from the react option.
> >> 
> >> 
> >> This is taken from the manual:
> >> 
> >> This is an example rule:
> >> 
> >> 
> >>     drop tcp any any -> any $HTTP_PORTS ( \
> >>         content: "d"; msg:"Unauthorized Access Prohibited!"; \
> >>         react: <react_opts>; sid:4;)
> >> 
> >>     <react_opts> ::= [msg] [, <dep_opts>]
> >> 
> >> 
> >> These options are deprecated:
> >> 
> >> 
> >>     <dep_opts> ::= [block|warn], [proxy <port#>]
> >> 
> >> 
> >> 
> >> Hope this helps.
> >> 
> >
> >
> >Well, this sample isn't clear for me.
> >in rule I have now:
> >... rev:2; react: <react_opts>;  )
> >
> >in snort.conf I've set:
> >config react: </opt/etc/snort/block.html>
> >
> >and during starting there is error:
> >
> >snort[23748]: FATAL ERROR: react:
> >/opt/etc/snort/rules_tmp/emerging-current_events.rules(5347) can't stat
> >react page file '</opt/etc/snort/block.html>'.
> >
> >Also I don't know where exactly to set:
> ><react_opts> ::= [msg]
> >in snort.conf ? in rule ?
> >
> >I regret there isn't on internet any samples, tutorials of above. Do only
> >I use information page about blocking in IPS ? ;)
> >
> >
> >
> >
> >
> >--------------------------------------------------------------------------
> >----
> >Dive into the World of Parallel Programming The Go Parallel Website,
> >sponsored
> >by Intel and developed in partnership with Slashdot Media, is your hub
> >for all
> >things parallel software development, from weekly thought leadership
> >blogs to
> >news, videos, case studies, tutorials and more. Take a look and join the
> >conversation now. http://goparallel.sourceforge.net/
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users <at> lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> >Snort news!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Robert Lasota | 27 Mar 15:33 2015
Picon

Odp: RE: React option doesn't work

Dnia Piątek, 27 Marca 2015 14:24 Al Lewis (allewi) <allewi <at> cisco.com> napisał(a)
> That looks to be an Emerging Threat rule so you probably would want to contact them about that. There isnt a
"content-list" rule option. The rule options are listed here: http://manual.snort.org/node32.html
>  
> As for the block page are you listing the page with the "config react: <block.html>" in your config file?
The steps are listed here http://manual.snort.org/node26.html under the "react" section.
>  
> Note that the block|warn options under react are deprecated so you may want to try removing the 'block'
from the react option.
>  
>  
> This is taken from the manual:
>  
> This is an example rule:
>  
>  
>     drop tcp any any -> any $HTTP_PORTS ( \
>         content: "d"; msg:"Unauthorized Access Prohibited!"; \
>         react: <react_opts>; sid:4;)
>  
>     <react_opts> ::= [msg] [, <dep_opts>]
>  
>  
> These options are deprecated:
>  
>  
>     <dep_opts> ::= [block|warn], [proxy <port#>]
>  
>  
>  
> Hope this helps.
>  

Well, this sample isn't clear for me. 
in rule I have now:
... rev:2; react: <react_opts>;  )

in snort.conf I've set:
config react: </opt/etc/snort/block.html>

and during starting there is error:

snort[23748]: FATAL ERROR: react: /opt/etc/snort/rules_tmp/emerging-current_events.rules(5347)
can't stat react page file '</opt/etc/snort/block.html>'.

Also I don't know where exactly to set:
<react_opts> ::= [msg]
in snort.conf ? in rule ?

I regret there isn't on internet any samples, tutorials of above. Do only I use information page about
blocking in IPS ? ;)

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Omar Osta | 27 Mar 13:54 2015
Picon

Portsweep and ICMP Sweep Alerts

Hi,
 
I have been testing and tuning Snort before putting it into production. Two days ago I put my workstation on the switch for testing and fine tuning.  Yesterday morning I noticed TCP Portsweep event logs coming from my workstation to the internet. I downloaded the payload and opened it into notepad and it looks like Open Port: 80 or Open Port: 443.  There is no pcap to download. I ran wireshark to see if it could detect it, but it could not. 

My sfportscan preprocessor is setup like this: preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low } scan_type { all  } logfile { /etc/snort/portscan.log }

Yesterday I have detected 413 port Sweeps and one ICMP sweep. Most sweeps were to external ip addresses and but some were inside my network. That is when I really got concerned.

This morning I had another ICMP sweep from my computer to a server on a different subnet that I had opened a webpage to. The really weird thing about this is the payload said the scanned range was on the subnet my workstation was on. Not the destination IP address of the ICMP sweep alert.

Payload is this:

Priority Count: 
5Connection Count: 13
IP Count: 13
Scanned IP Range: (sanitized)
Port/Proto Count: 0
Port/Proto Range: 0:0
 Is my computer compromised or is there a chance these are false positives? I can't find any software on my computer that isn't supposed to be there. Yes I have nmap, but I wasn't doing those scans. My anti virus and maleware bytes says my computer is clean.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Sss kkk | 27 Mar 13:43 2015
Picon

(http_inspect) UNKNOWN METHOD for SSL over http proxy

Hello,

I'm new to snort, running version 2.9.7.2

For http traffic going through the proxy server I'm receiving huge amount of 'unknown method' (119:31:1) alerts.
It happens for every HTTPS connection going through the proxy server.
There is nothing special in the traffic - simple opening https://github.com in the browser causes bunch of alerts generated by snort.

Dump captured at the proxy server side and presented in wireshark seems to be correct:

CONNECT github.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: github.com:443

HTTP/1.0 200 Connection established

............s.7..~v..J.z....h.=.)..T...k... .t_..3....-.m'7g..........0..o.....+./.
.......3.2.9./.5.
...x.....
..
github.com......
.................#..3t.....#.!.h2-15.h2-14.h2.spdy/3.1.http/1.1..........
........................l...h..U.B..j.D-.#.;.P.d]r_
....ni\3$.. .T.......v......E.
.4>uH..J.*..../.. ........................http/1.1...
...
..
(...)

Page displays without any errors anyway. The packet above with hex payload is decoded as "Client Hello" (TLSv1.2) in the Wireshark.

At the same time at the snort I have alert generated for all packets after "connection established" response.
First one comes for the same payload visible in the dump:

(snorby output):
http_inspect: UNKNOWN METHOD

Src Port        Dst Port        Seq     Ack     Off     Res     Flags   Win     Csum    URP
47100   8080    3070814240      2482041191      8       0       24      229     56036   0

0000000: 16 03 01 00 dd 01 00 00 d9 03 03 fd 73   83 37 ba a9 7e 76 93 9b 4a e3 7a da ff  ............s.7..~v..J.z..
000001A: 19 0e 68 f4 3d 95 29 de 1b 54 bd e8 c5   6b c5 8e f1 20 bf 74 5f eb b8 33 97 e7  ..h.=.)..T...k.....t_..3..
0000034: f1 ea 2d be 6d 27 37 67 93 b2 0e df b3   b3 f6 ab fd f9 30 ad 97 6f dd 9d 00 18  ..-.m'7g..........0..o....
000004E: c0 2b c0 2f c0 0a c0 09 c0 13 c0 14 00   33 00 32 00 39 00 2f 00 35 00 0a 01 00  .+./.........3.2.9./.5....
0000068: 00 78 00 00 00 0f 00 0d 00 00 0a 67 69   74 68 75 62 2e 63 6f 6d ff 01 00 01 00  .x.........github.com.....
0000082: 00 0a 00 08 00 06 00 17 00 18 00 19 00   0b 00 02 01 00 00 23 00 00 33 74 00 00  ...................#..3t..
000009C: 00 10 00 23 00 21 05 68 32 2d 31 35 05   68 32 2d 31 34 02 68 32 08 73 70 64 79  ...#.!.h2-15.h2-14.h2.spdy
00000B6: 2f 33 2e 31 08 68 74 74 70 2f 31 2e 31   00 05 00 05 01 00 00 00 00 00 0d 00 12  /3.1.http/1.1.............
00000D0: 00 10 04 01 05 01 02 01 04 03 05 03 02   03 04 02 02 02                          ..................

It is replicable and it always happens for HTTPS going over the http proxy. There are no timeouts or something.
TCP session from the client to the proxy server has been established just before CONNECT so should be properly tracked.

I was wondering if it is expected behavior for http_inspect in such a proxing scenario? Could be I misunderstood something.

Related configuration:

(increased memcap for session tracking, however haven't seen drops due to this anyway)
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   memcap 67108864, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
    ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \
        161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \
        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
    ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7907 7000 7001 7071 7144 7145 7510 7802 7770 7777 7778 7779 \
        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
        7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712


preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 max_gzip_mem 104857600 proxy_alert
preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 1500 \
    max_headers 100 \
    max_spaces 200 \
    small_chunk_length { 10 50 } \
    ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7778 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 8800 8888 8899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    normalize_utf \
    unlimited_decompress \
    normalize_javascript \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
    webroot no


proxy_alert added as a try also doesn't raise an alert for https connections. It works fine and rise alerts (UNAUTHORIZED PROXY USE DETECTED) for HTTP sessions going through the proxy server. For HTTPS ones 'unknown method' is raised only.

Could someone advise how to get that traffic analyzed without false alarms and without a need to suppress the inspection.

Best regards,
stan

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Arun Koshal | 27 Mar 11:30 2015
Picon

Few strange problems with Snort and Stream5 preprocessor

Hi,

I have written a dynamic preprocessor for inspecting some custom application. This dynamic preprocessor depends on stream5 preprocessor from getting the TCP stream. I am using snort in PCAP mode. I am facing following very strange problems -

1. The data in the rebuilt stream given by stream5 does not match with the TCP sequence number. For example - for a given TCP packet the sequence number in packet (pkt->tcp_header->sequence) is 507351850, but the data in pkt->payload is actually same as that of some old packet, having TCP sequence number 507343162. This scenario happens in case there are lot of packets getting dropped. I confirmed this with wireshark packet capture and I have observed multiple such instances. I also noticed that I am getting all the packets in the same buffer (pkt->payload remains same for all packets). So it seems like that I am getting a new packet with new header but old data. If I configure the pcap buffer_size as 512MB, the packets do not drop and this problem does not happen.

2. The second problem that I faced was with the pcap snap_len. In my setup, I had snort running with default pcap snap_len. I noticed that snort was not receiving packets having 1448 bytes data (1500 bytes, excluding Ethernet header). On reducing the MTU of the traffic generator from 1500 to 1484, Snort started receiving those packets. As a workaround, I increased the snap_len in sfdaq.c to 1546. Is this behaviour correct? 

It would be really great if someone can provide some inputs on these issues.

Thanks and regards.
Arun
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 27 Mar 10:27 2015
Picon

React option doesn't work

Hi,

I've installed newest Snort (2.9.7.2) from source with options:
 ./configure --prefix=/opt/usr  --enable-sourcefire --with-daq-libraries=/opt/usr/lib/daq/
--with-daq-includes=/opt/usr/include/ --disable-gre --disable-mpls --disable-corefiles
--disable-dlclose --enable-react --enable-active-response --enable-flexresp3

I run it in inline mode with options:
--daq nfq --daq-var queue=0 -D -Q -c /opt/etc/snort/snort.conf -l /var/log/snort --no-interface-pidfile

.. and its blocking traffic but unfortunately doesn't display message in webbrowser about this block.

Rule is:
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (content-list:"exe"; msg:"ET CURRENT_EVENTS
Terse alphanumeric executable downloader high likelihood of being hostile";
flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8;
fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase;  http_header;
pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; classtype:bad-unknown; sid:2019714; rev:2;  react:
block, msg; )

without content-list:"exe" it just blocks,
with content-list:"exe" don't even start because it has error:  Unknown rule option: 'content-list'.

So, what is going on ? how to fix it or... what is other way to display message in webbrowser during blocking
(in inline mode with DAQ which we are using) ?

Please help us, we work on serious project with Snort and this is very important for us

Robert Lasota

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Gmane