Snort mailing list archives
Re: flow:established still broken in 2.9.0.5?
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 29 Jun 2011 17:33:52 -0400
On Wed, Jun 29, 2011 at 4:57 PM, Jason Haar <Jason.Haar () trimble co nz>wrote:
On 29/06/11 22:47, Joel Esler wrote:Are you dropping packets? I am wondering that, because maybe Snort tagged this as a midstream pickup or something.Nope. snort is running on the proxy server itself, eth0 shows no errors, and doing a "kill -USR1" shows Packet I/O Totals: : Received: 661036928 : Analyzed: 661016939 ( 99.997%) : Dropped: 19989 ( 0.003%) : Filtered: 0 ( 0.000%) : Outstanding: 19989 ( 0.003%) : Injected: 0 (this is snort-2.9.0.5 under CentOS-5.6 with "pcap DAQ configured to passive")Do you have a pcap?I have a pcap of the single packet that triggered the event - but not the first packet of the TCP stream - so I don't think it means much. As it's HTTPS, I'll attach itAs a rule writing note, "isset" flowbit checks generally should come before content. I have no idea what this rule does though, but I'd want the flowbit check before the content in this case, as it's only a two byte match.That's an EmergingThreat rule - but that shouldn't matter. snort shouldn't have matched on a "depth:2" half-way through a tcp stream?
depth:2 applies to the current packet (raw or reassembled). It is not a depth from beginning of stream.
The Big Question is: what does snort do when it "starts" in the middle of a tcp stream? Does it ignore all "flow" related rules, or does it (erroneously IMO) treat the first packet it sees as the first packet of the stream? (your question about packet loss makes me think that is what is happening?) Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 09)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Matthew Jonkman (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Russ Combs (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 30)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)