Snort mailing list archives
Re: [Emerging-Sigs] FP on 2012886 but I don't see how
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 4 Aug 2011 13:13:19 -0400
I am wondering if Barnyard2 is logging the first packet, but not the tagged packet. Can you use u2spewfoo that we include with Snort to look inside your unified2 file and find out if it's there. <It's morning in Vegas and I'm not really awake yet.> J On Aug 4, 2011, at 12:56 PM, Weir, Jason wrote:
Not really sure how to answer that.. Unified2 -> barnyard2 -> mysql -> base? -J-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, August 04, 2011 12:53 PM To: Weir, Jason Cc: Emerging Sigs Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how How are you logging? Sent from my iPhone On Aug 3, 2011, at 13:05, "Weir, Jason" <jason.weir () nhrs org> wrote:I think you were clear - my understanding not so much..You'd think itwould log the packet it alerts on... Joel, is there areason for this?Thanks! -J-----Original Message----- From: rmkml [mailto:rmkml () free fr] Sent: Wednesday, August 03, 2011 4:03 PM To: Weir, Jason Cc: Emerging Sigs; rmkml () free fr Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how Hi Jason, Snort match on "first" payload packet and alert+write on pcap (because you use http_*, unfortunately, your content searching (passwd) are on "second" payload packet... sorry if Im not clear. Regards Rmkml On Wed, 3 Aug 2011, Weir, Jason wrote:Yes - but it looks like it alerted on packet 1 from yourexample - thereis no passwd= in packet 1... Am I missing something in your explanation? -J-----Original Message----- From: rmkml [mailto:rmkml () free fr] Sent: Wednesday, August 03, 2011 3:51 PM To: Weir, Jason Cc: Emerging Sigs; rmkml () free fr Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how Hi, Excuse me, but what the pb? snort record only one packet by alert, and http request allow spliting uri on "first" payload packet and argument/value in "second" payload packet like this for example: 1: POST /api/login/platintanium HTTP/1.1 .... 2: a=b&passwd=example Regards Rmkml On Wed, 3 Aug 2011, Joel Esler wrote:Yes, please review the Snort.conf in the VRT rulepack as ithas our recommended default settings.When we put out a new rulepack and I announce it onhttp://blog.snort.org, I have a line in there that states if we have made any changes to the Snort.conf with the rulepack. We've haven't done one in awhile.J On Aug 3, 2011, at 3:05 PM, Weir, Jason wrote:I see the manual has 262144 as the default, I'll startthere... Manualdoesn't specify what gets used if option isn't set... As Idon't havemax_udp set... -J-----Original Message----- From: emerging-sigs-bounces () emergingthreats net [mailto:emerging-sigs-bounces () emergingthreats net] On Behalf Of Weir, Jason Sent: Wednesday, August 03, 2011 2:56 PM To: Emerging Sigs Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how Joel, What would you recommend looks like I'm @ 8192 currently.. preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no max_active_responses 2 min_response_seconds 5 -J-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, August 03, 2011 2:52 PM To: Weir, Jason Cc: Emerging Sigs Subject: Re: [Emerging-Sigs] FP on 2012886 but Idon't see howCan you increase your max sessions in stream5? It looks like you are maxed out. -- Sent from my iPad Please excuse the brevity On Aug 3, 2011, at 2:45 PM, "Weir, Jason"<jason.weir () nhrs org> wrote:Debian\Snort 2.9.0.5 I don't think it's load related... %CPU PID USER COMMAND 8.4 15845 snort /usr/local/bin/snort -q -u snort-g snort -c/etc/snort/snort.conf -i eth1 1.3 15846 root /usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.logblah blah blahOutput from snort perf monitor - consistently less than.05% packetloss, doesn't seem excessive to me, unless the switchis droppingpackets before they get to the sensor..1312388143,0.042,11.997,0.007,3.416,438,80.928,5.236,5.096,5.612,3.737,1690,1738,213.762,0,293,0.021,0.003,0.003,0.003,0.000,0.003,16,16,0,0,1,7.715,0.612,91.672,11.997,0.000,0.000,0.700,12.697,438,452,1474,409,437,3.416,0.000,0.000,0.214,3.630,3077133,1295,0,4.448,0.134,3885,3885,1738,210,400,1095,0.414,3.658,0.325,0.000,0.000,0,0,0.000,0,0.000,0,0,0,-J-----Original Message----- From: Matthew Jonkman[mailto:jonkman () emergingthreatspro com]Sent: Wednesday, August 03, 2011 2:33 PM To: Weir, Jason Cc: Emerging Sigs Subject: Re: [Emerging-Sigs] FP on 2012886 but Idon't see howThat ain't right... Which engine/version/platform? Overloaded? Any significant packet dropping going on? Matt On Aug 3, 2011, at 2:16 PM, Weir, Jason wrote:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS(msg:"ET POLICYHttp Client Body contains passwd= in cleartext"; flow:established,to_server; content:"passwd="; nocase;http_client_body;classtype:policy-violation; sid:2012886; rev:1;) Triped on this POST /api/login/platintanium HTTP/1.1 Host: www.reddit.com Connection: keep-alive Referer: http://www.reddit.com/ Content-Length: 83 Origin: http://www.reddit.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1(KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */*; q=0.01 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie:__utma=55650728.1511640242.1305205532.1310644711.1310647724.19 ; __utmz=55650728.1305205532.1.1.utmcsr=(direct)|utmccn=(direct) |utmcmd=(none); _recentclicks2=t3_j7ryz%2C; _last_thing=; reddit_first=%7B%22organic_pos%22%3A%2057%2C%20%22firsttime%22 %3A%20%22first%22%7D-J_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Re: [Emerging-Sigs] FP on 2012886 but I don't see how Joel Esler (Aug 04)