Snort mailing list archives
Questions (and bug report?) about tagging
From: Martin Olsson <elof () sentor se>
Date: Fri, 23 Aug 2002 14:03:41 +0200 (CEST)
I'm playing around with the tag option and don't get the expected result. Machine A (flash - 10.0.0.53) is running FreeBSD 4.6 and snort 1.8.7. I have setup inetd to listen on port 80 with this script: #!/bin/sh echo 'My server on port 80' read VAR1 echo 'Here is a long listing of files' ls -l /usr/lib read VAR2 echo 'Now that should have triggered a couple of packets' exit 0 I use this rule: alert tcp any any -> any 80 (msg:"php.cgi access";flags:A+; uricontent:"/php.cgi"; nocase; classtype:attempted-recon; sid:824; rev:6; tag:host,30,seconds,dst;)
From machine B (jean - 10.0.0.52) I connect to A and trigger an alert like
this: --------------------------------------------------------------------- nc 10.0.0.53 80 < My server on port 80 > GET /php.cgi < Here is a long listing of files < drwxr-xr-x 2 root wheel 512 Jun 11 06:17 aout < drwxr-xr-x 3 root wheel 512 Aug 7 15:02 compat < -r--r--r-- 1 root wheel 1417 Jun 11 06:17 crt1.o <...several lines are cut...> < -r--r--r-- 1 root wheel 6424 Jun 11 06:18 pam_tacplus.so < -r--r--r-- 1 root wheel 4828 Jun 11 06:18 pam_unix.so > qwertyqwertyqwertyqwertyqwertyqwerty < Now that should have triggered a couple of packets --------------------------------------------------------------------- Strange thing #1: In my snort-tcpdump-file I get _one_ packet with the payload of both the "GET /php.cgi" and the "qwertyqwertyqwertyqwertyqwertyqwerty" packets. I thought snort dumped the packets exactly as is, but apparently that is not so. This might confuse the person debugging the packets found in the tcpdump-file since they aren't exact copies of the original packets. Strange thing #2, and this is the critical one: The first responses, "Here is a long listing of files" and the file listing, are _not_ logged. This is not good since this reply is exactly what I'm interested in and want to be logged. If I expand the string "qwertyqwertyqwertyqwertyqwertyqwerty" to be about 20 times longer, at least the message "Now that should have triggered a couple of packets" is logged, but the first "Here is a long listing of files" and the file listing are still missing. After the packet or packets that belong to my port 80 session to machine A, I also get a lot of logged packets for other activity (ssh) to/from this machine. This is correct since my rule was set to tag on 'host' with the 'dst' IP as its criteria. Strange thing #3 (a bug in snort?): The first packet in the tcpdump-file, the one matching "/php.cgi", has a timestamp of 12:16:36. The last packet in the file has a timestamp of 12:24:34. This is far longer than the 30 seconds I specified. Question #1: Will the database plugin support logging tagged packets to a database, or will just the first packet be logged as it currently does? I run snort like this: snort -D -q -L snort.tcpdump -l /var/log/snort -c /etc/snort.conf -i ed1 var HOME_NET any var EXTERNAL_NET $HOME_NET var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS [10.0.0.1/32] var RULE_PATH /var/snort var SHELLCODE_PORTS !80 var HTTP_PORTS 80 var ORACLE_PORTS 1521 preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 snort.portscan preprocessor portscan-ignorehosts: $DNS_SERVERS output database: alert, mysql, user=sentor password=pw dbname=snort host=10.0.0.10 sensor_name=nids1 output alert_fast: snort.alert include /etc/snort-classification.config include $RULE_PATH/web-cgi.rules config alert_with_interface_name config umask: 022 config checksum_mode: none config show_year config stateful Information: The output from machine B, running nc and sending "GET /php.cgi" and "qwertyqwerty.....": * http://www.mds.mdh.se/~dat94mon/snort/nc_on_machine-B.txt The tcpdump-file: * http://www.mds.mdh.se/~dat94mon/snort/snort.tcpdump The tcpdump-file decoded to hex and ASCII: * http://www.mds.mdh.se/~dat94mon/snort/tcpdump_from_machine-A_in_hex_ascii.txt /Martin ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Questions (and bug report?) about tagging Martin Olsson (Aug 23)
- <Possible follow-ups>
- Questions (and bug report?) about tagging Martin Olsson (Aug 26)