Re: snort-2.8.2.1 and udp alerts

[Keith <keith () sourcefire com>]

inline

Alex wrote:
> On Tuesday 24 June 2008 18:40, you wrote:
> > Hi
> >
> > Stream 5 tracking UDP, and alerts being generated by UDP are two
> > different things. Stream 5 is a TCP/UDP connection state tracker, if
> > you look in your rule files you will see many rules associated with
> > the UDP protocol enabled.
>
> oh, thanks for clarification... the rules in /etc/snort/rules... yes... what i 
> don't understand is stream5 processor role for TCP/UDP/ICMP and stream5 
> settings in snort.conf...

Stream5 sets both stream reassembly policy, and Flow. It enables you to 
do a few things. Stream5 will allow you to reassemble  segmented traffic 
and alert on its content. It will also allow that reassembly to be done 
in a way that fits your environment (bsd, macos etc). A final feature of 
Stream5 is that it enables the ability to alert on flow. So you can 
write rules that use "flow: established, to_server" in your rules. Doing 
so would restrict the rule to only alert on traffic from IP-port pairs 
with an existing connection.

There are a few more advantages offered by stream5. For more details 
check README.stream5 in the doc directory, or the snort manual.

Regards,
Keith

> > If you are only getting UDP events being raised by Snort, this means
> > one of two things.
>
> No, i'm getting alerts on TCP, UDP, ICMP and so on...
>
> > If Snort isn't seeing TCP traffic,
>
> it can see it.
>
> so, what will be the difference regarding alerts or snort behaviour in case 
> when i'll enable UDP and ICMP in stream5 processor, like below:
>
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> track_udp yes, track_icmp yes
>
> or what will be if i'll disable stream5 for all like below
>
> preprocessor stream5_global: track_tcp no, \
> track_udp no, track_icmp no
>
> And finally, the main question:
> - does snort detect/alert broadcast storms (layer 2 and layer 3 broadcast 
> storms) using my present rules/settings - i posted here all my snort.conf 
> file? If not, how can be snort configured to detect bcast storms in our lan?
>
> Regards,
> Alx
>
> > On 24 Jun 2008, at 14:45, Alex wrote:
> > > hello snort experts,
> > >
> > > I am using snort-2.8.2.1 compiled with mysql support. Currently,
> > > snort it logs
> > > and produce UDP alerts even it seems that UDP support is disabled in
> > > config
> > > file.
> > >
> > > Starting snort, i can see in terminal:
> > > [root@ltm ~]# snort -c /etc/snort/snort.conf
> > > ...
> > > Stream5 global config:
> > > Track TCP sessions: ACTIVE
> > > Max TCP sessions: 8192
> > > Memcap (for reassembly packet storage): 8388608
> > > Track UDP sessions: INACTIVE
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > Track ICMP sessions: INACTIVE
> > > ...
> > > Portscan Detection Config:
> > > Detect Protocols: TCP UDP ICMP IP
> > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > Detect Scan Type: portscan portsweep decoy_portscan
> > > distributed_portscan
> > > Sensitivity Level: Low
> > > Memcap (in bytes): 10000000
> > > ...
> > >
> > > In snort.conf i can see only 2 lines related to UDP:
> > >
> > > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > > track_udp no
> > >
> > > so here, no doubt that UDP is DISABLED
> > >
> > > and
> > >
> > > preprocessor sfportscan: proto { all } \
> > > memcap { 10000000 } \
> > > sense_level { low }
> > >
> > > If UDP support is disabled in snort.conf, which line match and
> > > produce the
> > > following UDP alerts? I'm not convinced that preprocessor sfportscan
> > > will
> > > generate it. Can anybody give me a hint?
> > >
> > > MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
> > > 255.255.255.255:1434 UDP
> > >
> > > or
> > >
> > > MISC UPnP malformed advertisement 2008-06-23 16:21:10
> > > 169.254.209.225:1900
> > > 239.255.255.250:1900 UDP
> > >
> > > below, comes my entire snort.conf file:
> > >
> > > var HOME_NET any
> > > var EXTERNAL_NET any
> > > var DNS_SERVERS $HOME_NET
> > > var SMTP_SERVERS $HOME_NET
> > > var HTTP_SERVERS $HOME_NET
> > > var SQL_SERVERS $HOME_NET
> > > var TELNET_SERVERS $HOME_NET
> > > var SNMP_SERVERS $HOME_NET
> > > portvar HTTP_PORTS 80
> > > portvar SHELLCODE_PORTS !80
> > > portvar ORACLE_PORTS 1521
> > > var AIM_SERVERS
> > > [64.12.24.0
> > > /
> > > 23,64.12.28.0
> > > /
> > > 23,64.12.161.0
> > > /
> > > 24,64.12.163.0
> > > /
> > > 24,64.12.200.0
> > > /
> > > 24,205.188.3.0
> > > /
> > > 24,205.188.5.0
> > > /
> > > 24,205.188.7.0
> > > /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
> > > var RULE_PATH /etc/snort/rules
> > > var PREPROC_RULE_PATH ../preproc_rules
> > > dynamicpreprocessor directory /usr/lib/
> > > snort-2.8.2.1_dynamicpreprocessor/
> > > dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
> > > preprocessor frag3_global: max_frags 65536
> > > preprocessor frag3_engine: policy first detect_anomalies
> > > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > > track_udp no
> > > preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> > > preprocessor http_inspect: global \
> > > iis_unicode_map unicode.map 1252
> > > preprocessor http_inspect_server: server default \
> > > profile all ports { 80 8080 8180 } oversize_dir_length 500
> > > preprocessor rpc_decode: 111 32771
> > > preprocessor bo
> > > preprocessor ftp_telnet: global \
> > > encrypted_traffic yes \
> > > inspection_type stateful
> > > preprocessor ftp_telnet_protocol: telnet \
> > > normalize \
> > > ayt_attack_thresh 200
> > > preprocessor ftp_telnet_protocol: ftp server default \
> > > def_max_param_len 100 \
> > > alt_max_param_len 200 { CWD } \
> > > cmd_validity MODE < char ASBCZ > \
> > > cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> > > chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
> > > telnet_cmds yes \
> > > data_chan
> > > preprocessor ftp_telnet_protocol: ftp client default \
> > > max_resp_len 256 \
> > > bounce yes \
> > > telnet_cmds yes
> > > preprocessor smtp: \
> > > ports { 25 587 691 } \
> > > inspection_type stateful \
> > > normalize cmds \
> > > normalize_cmds { EXPN VRFY RCPT } \
> > > alt_max_command_line_len 260 { MAIL } \
> > > alt_max_command_line_len 300 { RCPT } \
> > > alt_max_command_line_len 500 { HELP HELO ETRN } \
> > > alt_max_command_line_len 255 { EXPN VRFY }
> > > preprocessor sfportscan: proto { all } \
> > > memcap { 10000000 } \
> > > sense_level { low }
> > > preprocessor dcerpc: \
> > > autodetect \
> > > max_frag_size 3000 \
> > > memcap 100000
> > > preprocessor dns: \
> > > ports { 53 } \
> > > enable_rdata_overflow
> > > preprocessor ssl: noinspect_encrypted
> > > output database: log, mysql, user=snort password=password dbname=snort
> > > host=localhost
> > > include classification.config
> > > include reference.config
> > > include $RULE_PATH/local.rules
> > > include $RULE_PATH/bad-traffic.rules
> > > include $RULE_PATH/exploit.rules
> > > include $RULE_PATH/scan.rules
> > > include $RULE_PATH/finger.rules
> > > include $RULE_PATH/ftp.rules
> > > include $RULE_PATH/telnet.rules
> > > include $RULE_PATH/rpc.rules
> > > include $RULE_PATH/rservices.rules
> > > include $RULE_PATH/dos.rules
> > > include $RULE_PATH/ddos.rules
> > > include $RULE_PATH/dns.rules
> > > include $RULE_PATH/tftp.rules
> > > include $RULE_PATH/web-cgi.rules
> > > include $RULE_PATH/web-coldfusion.rules
> > > include $RULE_PATH/web-iis.rules
> > > include $RULE_PATH/web-frontpage.rules
> > > include $RULE_PATH/web-misc.rules
> > > include $RULE_PATH/web-client.rules
> > > include $RULE_PATH/web-php.rules
> > > include $RULE_PATH/sql.rules
> > > include $RULE_PATH/x11.rules
> > > include $RULE_PATH/icmp.rules
> > > include $RULE_PATH/netbios.rules
> > > include $RULE_PATH/misc.rules
> > > include $RULE_PATH/attack-responses.rules
> > > include $RULE_PATH/oracle.rules
> > > include $RULE_PATH/mysql.rules
> > > include $RULE_PATH/snmp.rules
> > > include $RULE_PATH/smtp.rules
> > > include $RULE_PATH/imap.rules
> > > include $RULE_PATH/pop2.rules
> > > include $RULE_PATH/pop3.rules
> > > include $RULE_PATH/nntp.rules
> > > include $RULE_PATH/other-ids.rules
> > > include $RULE_PATH/experimental.rules
> > >
> > > Regards,
> > > Alx
> > >
> > > -------------------------------------------------------------------------
> > > Check out the new SourceForge.net Marketplace.
> > > It's the best place to buy or sell services for
> > > just about anything Open Source.
> > > http://sourceforge.net/services/buy/index.php
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users