RE: Problems with snort-2.1.0]

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: Daniel J. Roelker [mailto:droelker () sourcefire com] 
> Sent: Tuesday, January 13, 2004 2:29 PM
> To: Schmehl, Paul L
> Cc: snort-users () lists sourceforge net
> Subject: RE: [Snort-users] Problems with snort-2.1.0]
>
> The configuration line that you may want to use is:
>
> preprocessor perfmonitor: file stats.snort time 300 pktcnt 10000
>
> This gives you the basic performance stats on a 5 minute 
> interval.  The reason you were seeing so many lines was that 
> you had 'flow' enabled. 
> If you read the documentation this says that "statistics are 
> printed out about the type of traffic and protocol 
> distributions that snort is seeing".  That's what these 2500 
> lines of statistics were.  These statistics help users fine 
> tune snort for performance on their network by detailing the 
> various network protocol flows and client and server side data.
Thanks, Daniel.  That makes sense.  I read the documentation, but I
obviously didn't understand what the impact of printing out "statistics"
would be.  :-)
> > What am I missing?
> Apparently a lot.  ;)
>
> detect_anomalous_servers:
> In the documentation it says, "This global configuration 
> option enables generic HTTP server traffic inspection on 
> non-HTTP configured ports, and alerts if HTTP traffic is 
> seen.".  The docs say nothing about HOME_NET or any other 
> variables in regard to http_inspect, so if you could point us 
> to where you got that fact in the docs we'll be happy to fix 
> it so it's less confusing.  
Obviously it was an assumption.  I *thought* that http_inspect would
only normalize and report on traffic within the context of existing,
enabled rules, which would mean that if HTTP_SERVERS was defined, *that*
is what it would report on.  (Isn't that what http_decode did?)

> This means that http_inspect is indeed looking at all 
> traffic.  Since you're getting so many anomalous_server 
> alerts you should just turn off detect_anomalous_servers 
> until you are able to configure your default and unique HTTP 
> servers appropriately.  But it's not a big deal if you don't 
> have this enabled.
And I did turn it off, almost immediately.
 
> BARE_BYTE ENCODING alert:
> Uh, here's your problem.  In your default server 
> configuration you have
> 443 as an HTTP server port.  443 is definitely an HTTP port 
> but there's something a little different about it, it's 
> encrypted.  So that makes it really hard for snort to 
> correctly decode where the request URI is in the stream of 
> data.  The reason you're getting those alerts is because 
> http_inspect probably thinks the request URI is after the 
> first space in the encrypted stream and starts decoding.  
> Some of the encrypted bytes probably look like unicode 
> sequences and *poof* you have a BARE_BYTE ENCODING alert.
Doh!  Ah the things we miss when we're in a hurry.
 
> So take any encrypted HTTP ports (i.e. 443) out of your 
> http_inspect port configuration.  I guess we'll add that fact 
> to the documentation notes  to make it completely clear.
Yup.  I won't be the only dummy you run in to.  :-)

> non_rfc_chars, other flags, etc:
> The non_rfc_char alerts have been an issue and we're taking 
> that out of the default server policies, i.e. apache, iis, 
> all.  Which brings us to the issue that you didn't enable 
> many of the flags that you are seeing alerts for.  This is 
> because you have enabled a profile, in this case 'all' to be 
> specific.  If you look at the documentation it tells you what 
> flags are pre-set for this particular profile.  So that's why 
> you're seeing alerts for things that you didn't specifically set.
I missed that, and I'm still not seeing it in README.http_inspect.  Is
it in there?  Or in the snort manual?  I don't see anything that
discusses what the default, pre-set flags are for all, apache or iis.

I do have a question though.  Can you disable a default flag by using
"flag_name no"?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users