Snort mailing list archives
Re: Snort not inspecting all traffic sourcing from itself?
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Thu, 10 Jun 2010 08:52:37 -0500
Hello. That did it. I guess the issue was checksum offloading. Thanks a lot! Cheers, -L0rd Ch0de1m0rt On 6/9/10, Leon Ward <lward () sourcefire com> wrote:
TCP Checksum offloading? Do a sniff on the interface and take a look if the checksums are correct. Snort's -k none could help you out. Just the first thing that jumps to mind. -Leon On 9 June 2010 21:45, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Hello. I'm curious. I am running Snort 2.8.5.1 on an Ubuntu 8.04 web server and I have the following two very simple rules enabled (and nothing else): alert tcp any any -> any any (msg:"TCP SYN packet seen!"; flags:S; classtype:bad-unknown; sid:54002346; rev:1;) alert tcp any any -> any any (msg:"HTTP GET detected"; content:"GET"; nocase; classtype:bad-unknown; sid:68000036; rev:1;) Now before people start complaining, this is for testing only, not real rules so no need to criticise them. Anyway if I make a HTTP GET request from a different machine to the Snort machine (which is running a web server, remember), both rules fire. If the Snort machine serves up a web page that has the word "GET" in it, the rules fire again (different HTTP session). However, if I log on to the Snort machine, fire up a web browser, and start surfing, only the SYN rule fires despite the fact that "GET" is clearly in traffic when I do a tcpdump on it. So for some reason, Snort is not inspecting all traffic (although some since the SYN rule fired) sourcing from itself. Here are my Streams5 options in snort.conf: preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667 6668 6669 \ 7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128 6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \ 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 8000 8008 8028 8080 8180 8888 9999 preprocessor stream5_udp: timeout 180 Cheers, -L0rd Ch0de1m0rt ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Snort not inspecting all traffic sourcing from itself? L0rd Ch0de1m0rt (Jun 09)
- Re: Snort not inspecting all traffic sourcing from itself? Joel Esler (Jun 09)
- Message not available
- Re: Snort not inspecting all traffic sourcing from itself? L0rd Ch0de1m0rt (Jun 10)