Snort mailing list archives
preprocessors and thresholding broken with latest rules tarball?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 19 May 2011 21:15:50 +0000
After fixing up my pulledpork stuff to get the so_rules.rules file to generate correctly, I started getting a lot more alerting from stuff I had already suppressed in the threshold.conf file. This could be correlation and not causation as the tarball was updated last night. Any how, below is just one example of this: See this alert fire off: =============================================================== Count:2 Event#3.705674 2011-05-19 20:22:17 stream5: Bad segment, overlap adjusted size less than/equal 0 66.220.146.22 -> 10.169.153.218 IPVer=4 hlen=5 tos=0 dlen=311 ID=64979 flags=2 offset=0 ttl=245 chksum=3447 Protocol: 6 sport=80 -> dport=49410 Seq=2907980535 Ack=3090935190 Off=8 Res=0 Flags=***A**** Win=5023 chksum=29482 urp=0 Payload: 0A 20 20 20 20 20 20 3C 63 6F 6D 6D 65 6E 74 73 . <comments 3E 0A 20 20 20 20 20 20 20 20 3C 63 61 6E 5F 72 >. <can_r 65 6D 6F 76 65 3E 31 3C 2F 63 61 6E 5F 72 65 6D emove>1</can_rem 6F 76 65 3E 0A 20 20 20 20 20 20 20 20 3C 63 61 ove>. <ca 6E 5F 70 6F 73 74 3E 31 3C 2F 63 61 6E 5F 70 6F n_post>1</can_po 73 74 3E 0A 20 20 20 20 20 20 20 20 3C 63 6F 75 st>. <cou 6E 74 3E 30 3C 2F 63 6F 75 6E 74 3E 0A 20 20 20 nt>0</count>. 20 20 20 20 20 3C 63 6F 6D 6D 65 6E 74 5F 6C 69 <comment_li 73 74 20 6C 69 73 74 3D 22 74 72 75 65 22 2F 3E st list="true"/> 0A 20 20 20 20 20 20 3C 2F 63 6F 6D 6D 65 6E 74 . </comment 73 3E 0A 20 20 20 20 20 20 3C 6C 69 6B 65 73 3E s>. <likes> 0A 20 20 20 20 20 20 20 20 3C 68 72 65 66 3E 68 . <href>h 74 74 70 3A 2F 2F 77 77 77 2E 66 61 63 65 62 6F ttp://www.facebo 6F 6B 2E 63 6F 6D 3A 38 30 2F 62 72 6F 77 73 65 ok.com:80/browse 2F 3F 74 79 70 65 3D 6C 69 6B 65 73 26 61 6D 70 /?type=likes& <-------------------------------REDACTED-----------------------> I know that I had suppressed the alerting of all the of the stream5 preprocessor, so I double check that: $ grep "Bad segment, overlap adjusted size less than/equal 0" /etc/snort/gen-msg.map 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 $ grep "suppress gen_id 129, sig_id 5" /etc/snort/threshold.conf suppress gen_id 129, sig_id 5 $ grep "include threshold.conf" /etc/snort/snort.conf include threshold.conf So it is in threshold to be suppressed and snort.conf does include threshold.conf. So I would like to know why Snort is now not suppressing creating alerts for this output? The only thing that could have changed I think is that now in the snort.rules file there appear to be a bunch new rules from the preprocessors thrown in now. I don't know if that is due to the tarball update however: ---snip--- alert ( msg: "STREAM5_BAD_SEGMENT"; sid: 5; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) ---snip--- So I guess there are two issues discovered here. Snort: ========================================= Still generates alerts despite threshold.conf settings for preprocessors if the preproc_rules/*.rules file is loaded up inside of the snort.rules. I don't know how or why this would start happening now. Or why there are now preprocessor rules located in two locations, compiled into the code (I assume?) and also in a seperate rules file. Would this cause double alerting or something? Why did this happen? PulledPork: ========================================= Does not allow you to specify the disabling of the files inside of the VRT tarball for the preproc's: - preproc_rules/decoder.rules - preproc_rules/preprocessor.rules - preproc_rules/sensitive-data.rules I have tried including sensitive-data.rules inside of the ignore= line of pulledpork.conf, but the file still gets included into the snort.rules output. -- Eoin ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessors and thresholding broken with latest rules tarball? Eoin Miller (May 19)
- Re: preprocessors and thresholding broken with latest rules tarball? carlopmart (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? Eoin Miller (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? JJC (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? Joel Esler (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? Eoin Miller (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? carlopmart (May 20)