Snort mailing list archives
RE: Problems with snort-2.1.0]
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 13 Jan 2004 18:03:45 -0600
-----Original Message----- From: Daniel J. Roelker [mailto:droelker () sourcefire com] Sent: Tuesday, January 13, 2004 2:29 PM To: Schmehl, Paul L Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Problems with snort-2.1.0] The configuration line that you may want to use is: preprocessor perfmonitor: file stats.snort time 300 pktcnt 10000 This gives you the basic performance stats on a 5 minute interval. The reason you were seeing so many lines was that you had 'flow' enabled. If you read the documentation this says that "statistics are printed out about the type of traffic and protocol distributions that snort is seeing". That's what these 2500 lines of statistics were. These statistics help users fine tune snort for performance on their network by detailing the various network protocol flows and client and server side data.
Thanks, Daniel. That makes sense. I read the documentation, but I obviously didn't understand what the impact of printing out "statistics" would be. :-)
What am I missing?Apparently a lot. ;) detect_anomalous_servers: In the documentation it says, "This global configuration option enables generic HTTP server traffic inspection on non-HTTP configured ports, and alerts if HTTP traffic is seen.". The docs say nothing about HOME_NET or any other variables in regard to http_inspect, so if you could point us to where you got that fact in the docs we'll be happy to fix it so it's less confusing.
Obviously it was an assumption. I *thought* that http_inspect would only normalize and report on traffic within the context of existing, enabled rules, which would mean that if HTTP_SERVERS was defined, *that* is what it would report on. (Isn't that what http_decode did?)
This means that http_inspect is indeed looking at all traffic. Since you're getting so many anomalous_server alerts you should just turn off detect_anomalous_servers until you are able to configure your default and unique HTTP servers appropriately. But it's not a big deal if you don't have this enabled.
And I did turn it off, almost immediately.
BARE_BYTE ENCODING alert: Uh, here's your problem. In your default server configuration you have 443 as an HTTP server port. 443 is definitely an HTTP port but there's something a little different about it, it's encrypted. So that makes it really hard for snort to correctly decode where the request URI is in the stream of data. The reason you're getting those alerts is because http_inspect probably thinks the request URI is after the first space in the encrypted stream and starts decoding. Some of the encrypted bytes probably look like unicode sequences and *poof* you have a BARE_BYTE ENCODING alert.
Doh! Ah the things we miss when we're in a hurry.
So take any encrypted HTTP ports (i.e. 443) out of your http_inspect port configuration. I guess we'll add that fact to the documentation notes to make it completely clear.
Yup. I won't be the only dummy you run in to. :-)
non_rfc_chars, other flags, etc: The non_rfc_char alerts have been an issue and we're taking that out of the default server policies, i.e. apache, iis, all. Which brings us to the issue that you didn't enable many of the flags that you are seeing alerts for. This is because you have enabled a profile, in this case 'all' to be specific. If you look at the documentation it tells you what flags are pre-set for this particular profile. So that's why you're seeing alerts for things that you didn't specifically set.
I missed that, and I'm still not seeing it in README.http_inspect. Is it in there? Or in the snort manual? I don't see anything that discusses what the default, pre-set flags are for all, apache or iis. I do have a question though. Can you disable a default flag by using "flag_name no"? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Problems with snort-2.1.0] Daniel J. Roelker (Jan 13)
- <Possible follow-ups>
- RE: Problems with snort-2.1.0] Schmehl, Paul L (Jan 13)