Snort mailing list archives
Re: Snort not logging all alerts in pcap (was Oddness with 16295)
From: rmkml <rmkml () yahoo fr>
Date: Sat, 13 Nov 2010 13:25:45 +0100 (CET)
Hi James, It's perfect, what's pb? If I remember correctly, snort write only one packet on pcap file for one alert... (not stream reassembly) What snort version you use? Maybe snort "drop" packet? read your log for stat packets or send 'kill -USR1 snort_pid'... Regards Rmkml On Thu, 11 Nov 2010, Lay, James wrote:
OK so now I’m sure there’s an issue. Below are more examples…everything is fine until alert timestamps 11/11-10:38:38.577756 and 11/11-10:38:38.818757…they are simply not there in the corresponding pcap file. My settings are as follows: output alert_fast: internetalert.fast output log_tcpdump: internettcpdump.pcap Any reason some packets aren’t getting logged in the pcap file? Any pointers would be excellent. James [10:45:48 jlay@goids:~/log$] sudo tail -n 20 internetalert.fast 11/11-10:26:15.284212 [**] [1:2008418:4] ET POLICY Metasploit Framework Update [**] [Classification: Misc activity] [Priority: 3] {TCP} 216.75.1.230:443 -> 10.21.0.9:53302 11/11-10:27:41.141234 [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP} 68.142.93.133:80 -> 10.21.0.16:62912 11/11-10:27:58.026044 [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: Misc Attack] [Priority: 2] {TCP} 10.21.0.16:62962 -> 85.17.84.214:80 11/11-10:30:04.970609 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 199.7.50.72:80 11/11-10:30:36.362238 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388 11/11-10:30:44.274148 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427 11/11-10:32:33.810911 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450 11/11-10:34:04.413890 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 173.204.52.197:80 11/11-10:35:42.820754 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404 11/11-10:35:49.670676 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432 11/11-10:38:00.626191 [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: Misc Attack] [Priority: 2] {TCP} 10.21.0.16:64881 -> 85.17.84.212:80 11/11-10:38:38.577756 [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 96.6.2.125:80 -> 10.21.0.16:64991 11/11-10:38:38.818757 [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 72.246.94.34:80 -> 10.21.0.16:64835 11/11-10:38:46.511664 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:65098 -> 66.220.146.32:80 11/11-10:40:49.997265 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181 11/11-10:40:57.546175 [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP} 207.171.185.196:80 -> 10.21.0.16:1281 11/11-10:41:42.069675 [**] [1:648:10] SHELLCODE x86 NOOP [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 207.171.185.196:80 -> 10.21.0.16:1493 11/11-10:43:16.912596 [**] [1:5713:3] WEB-CLIENT Windows Metafile invalid header size integer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 65.55.69.143:80 -> 10.21.0.16:1491 11/11-10:45:35.275018 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634 From pcap file: 10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack 1538376874, win 46, options [nop,nop,TS val 285059531 ecr 843329], length 1388 10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack 3472428307, win 65535, length 1400 10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq 3387361148, win 65535, options [mss 1460,nop,nop,sackOK], length 0 10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack 1095737173, win 65535, length 20 10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack 2060485191, win 7504, length 1400 10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack 1404174044, win 7066, length 1400 10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.], ack 2592865250, win 1023, length 1380 10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.], ack 87661050, win 65535, length 12 10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack 706084536, win 7504, length 1400 10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack 3592031382, win 7066, length 1400 10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq 2705613011, win 65535, options [mss 1460,nop,nop,sackOK], length 0 10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack 2665905014, win 13936, length 1400 10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack 237172578, win 65535, length 1380 10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack 1349174870, win 49664, length 1380 10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack 1907873745, win 13425, length 1400 10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack 1374951746, win 7504, length 1400 From: Lay, James [mailto:james.lay () wincofoods com] Sent: Thursday, November 11, 2010 10:43 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Oddness with 16295 Bump…no takers on this? From: Lay, James [mailto:james.lay () wincofoods com] Sent: Wednesday, November 10, 2010 10:52 AM To: snort-users () lists sourceforge net Subject: Oddness with 16295 So this is weird….looking at this hit: 11/10-10:38:18.976338 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385 Fairly certain it’s an fp, but…when I hit the pcap dump file, it doesn’t show….here’s consecutive hits in the alert file: 11/10-10:37:25.096951 [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185 11/10-10:37:25.131950 [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185 11/10-10:38:18.976338 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385 11/10-10:39:35.643464 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80 And from the pcapfile: sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1081895485, win 4789, length 1400 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1, win 4789, length 1400 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack 2261207081, win 65535, length 536 So where did 16295 go? A quick check for that IP gives nothing: [10:48:24 jlay@goids:~/log$] sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 ip and host 204.11.109.23 reading from file internettcpdump.pcap.1289401395, link-type EN10MB (Ethernet) [10:50:21 jlay@goids:~/log$] James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704
------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not logging all alerts in pcap (was Oddness with 16295) Lay, James (Nov 11)
- Re: Snort not logging all alerts in pcap (was Oddness with 16295) rmkml (Nov 13)
- Re: Snort not logging all alerts in pcap (was Oddness with 16295) James Lay (Nov 15)
- Re: Snort not logging all alerts in pcap (was Oddness with 16295) rmkml (Nov 13)