Re: Re: snort at a bakeoff.

[n3m3s1s () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

Hi all,
  I managed to get out to the customer site again and ran some different commandline options for your expert perusal.  
I'll try to give a reasonable explanation of what happened for each command.  Also, for this set of tests, the 
bandwidth had been dropped to like 50-55 Mbit/s spiking to 75-80 Mbit/s.  Roughly half what I was looking at last time.

> Try using a snort commandline like
>
> sbin/snort -A fast -b -l ./log -d -i eth1 and see what happens.

This logged everything it saw to a time-stamped file.  No alerts, but it logged every packet (0% packet loss).  
Encouraging.

> try snort -dev -i eth2 to see full dumps of the traffic on your eth2
> interface to make sure it can see everything

Oh baby.  Tons of stuff ;-)

Other things I tried:

1.  snort -A fast -l ./log -d -i eth2 (for 1 minute)
 -MUCH logging, but dropped ~96.5% of traffic.
    "Snort analyzed 38950 out of 1117120 packets, dropping 1078170 (96.513%) packets."
 -also, while I had almost 8,000 IP directories in ./logs, the alerts file is 0 length.  Am I not doing pattern 
matching here?  Didn't seem to read my snort.conf...

2.  snort -A fast -l ./log -d -i eth2 -c ./snort.conf (for 1 minute)
 -generated ~1600 alerts of which 99% were ICMP Dest. Unreachables.  The other 1% were Bad Traffic (loopback source 
address).  There is much web, dns, scans and other stuff in this traffic.
  "Snort analyzed 762866 out of 1110037 packets, dropping 347171 (31.276%) packets."
 -This was with the default ruleset (884 rules).

3.  Repeated same test as #2, but with only web rules loaded [499 rules] (1 minute).
 -0 alerts
  "Snort analyzed 733682 out of 1119517 packets, dropping 385835 (34.464%)."

4. Ran same test as #3, except I changed the http_decode preprocessor to: 80 -cginull (removed -unicode) in the hopes 
that it would catch something unicode.  I also tried using the unicode preprocessor and my notes here are a little 
fuzzy.  I'm showing on one of the tests that I had 103 alerts, but I don't know which preprocessor.  Sorry.  Anyway, 
the 103 alerts were all Unicode Directory Traversal alerts, but didn't show the actual attack.  I went in and looked at 
the logged packets and there were definitely WEB-IIS cmd.exe and other things in there, but didn't get alertet.

For pretty much all the the tests, it appeared that either the 1) signatures aren't being compared against (i.e. only 
preprocessor type alerts) or 2) I can only have 1 alerts per packet (some IDSs are like this, is snort?).  My guess is 
that it's the former instead of the latter.  Right now, Snort is not keeping up with the other 3 IDSs being tested, so 
I'm relying on you guys to keep me from shooting myself in the foot!!  I know I'm just doing something wrong, I've seen 
plenty of posts in the archives where people are using Snort at much higher bandwidth than what I'm looking at.

Thanks in advance,

Norm
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjw/B3IVHG4zbTNzMXNAaHVzaG1haWwuY29tAAoJEFhAkA76am0f/S8A
nR1t9ggSzkxLvn5/JsguVvxE2zSmAJ9TOz4XGZ9YuxFKPjH9/DgBC0U3aA==
=HHaK
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users