Snort mailing list archives

Re: Snort only partially alerting

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 21 Jun 2013 15:19:52 -0400

On Jun 21, 2013, at 11:04 AM, Joel Esler <jesler () sourcefire com> wrote:

On Jun 21, 2013, at 11:01 AM, Frank Calone <fc10011001 () gmail com> wrote:

All Discard:       322566 ( 25.165%)
      Other:           67 (  0.005%)
Bad Chk Sum:          326 (  0.025%)


I'm asking for the pcap, as this concerns me.


Frank, I took a look at the pcap you sent me and these are the alerts I received when I ran the pcap:

06/20-13:47:35.353332  [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] 
[Classification: Misc activity] [Priority: 3] {TCP} 
06/20-13:47:35.560161  [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] 
[Classification: Misc activity] [Priority: 3] {TCP} 
06/20-13:47:35.769947  [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc 
activity] [Priority: 3] {TCP} 
06/20-13:47:35.769947  [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] 
[Classification: Misc activity] [Priority: 3] {TCP} 

My Snort.conf can be found here: http://www.snort.org/vrt/snort-conf-configurations/

I stripped off the IPs at the end

So when I looked at the pcap I noticed there were a ton of incorrect checksums (the cut at the end of the statement is 
intended to strip out IPs):

$ tcpdump -r tcpdump.jun20.v3.pcap -vv | grep incorrect | cut -f2 -d:

 Flags [.], cksum 0x44cd (incorrect -> 0x0172), seq 3485
 Flags [.], cksum 0x44cd (incorrect -> 0x104b), seq 19545
 Flags [P.], cksum 0x44cd (incorrect -> 0xc4e0), seq 38525
 Flags [.], cksum 0x4a81 (incorrect -> 0xa44d), seq 41445
 Flags [.], cksum 0x44cd (incorrect -> 0xf3a2), seq 45825
 Flags [.], cksum 0x5035 (incorrect -> 0x647f), seq 48745
 Flags [.], cksum 0x4a81 (incorrect -> 0x0ee7), seq 56045
 Flags [.], cksum 0x44cd (incorrect -> 0xf978), seq 64805
 Flags [.], cksum 0x4a81 (incorrect -> 0x050f), seq 79405
 Flags [.], cksum 0x44cd (incorrect -> 0x2969), seq 83785
 Flags [.], cksum 0x44cd (incorrect -> 0x25d5), seq 92545
 Flags [.], cksum 0x4a81 (incorrect -> 0x2962), seq 95465
 Flags [.], cksum 0x44cd (incorrect -> 0x001d), seq 129045
 Flags [.], cksum 0x44cd (incorrect -> 0x8619), seq 148025
 Flags [.], cksum 0x44cd (incorrect -> 0xc65d), seq 152405
 Flags [.], cksum 0x4a81 (incorrect -> 0x0fc3), seq 174305
 Flags [.], cksum 0x44cd (incorrect -> 0x9a82), seq 180145
 Flags [.], cksum 0x44cd (incorrect -> 0x4cac), seq 183065
 Flags [.], cksum 0x44cd (incorrect -> 0x3fdf), seq 193285
 Flags [.], cksum 0x44cd (incorrect -> 0x31a0), seq 197665
 Flags [.], cksum 0x44cd (incorrect -> 0xc5d8), seq 216645
 Flags [.], cksum 0x4a81 (incorrect -> 0x0fa6), seq 223945
 Flags [.], cksum 0x44cd (incorrect -> 0xf8f4), seq 240005
 Flags [.], cksum 0x44cd (incorrect -> 0xe1ca), seq 261905
 Flags [.], cksum 0x44cd (incorrect -> 0xf3d0), seq 269205
 Flags [.], cksum 0x44cd (incorrect -> 0xdcb6), seq 272125
 Flags [.], cksum 0x4a81 (incorrect -> 0x3841), seq 279425
 Flags [P.], cksum 0x44cd (incorrect -> 0x2c66), seq 283805
 Flags [.], cksum 0x44cd (incorrect -> 0x007f), seq 291105
 Flags [.], cksum 0x44cd (incorrect -> 0x73ea), seq 302785
 Flags [.], cksum 0x44cd (incorrect -> 0xcb65), seq 305705
 Flags [.], cksum 0x44cd (incorrect -> 0xc839), seq 310085
 Flags [.], cksum 0x44cd (incorrect -> 0x2080), seq 323225
 Flags [.], cksum 0x44cd (incorrect -> 0x4970), seq 327605
 Flags [.], cksum 0x44cd (incorrect -> 0x2909), seq 331985
 Flags [.], cksum 0x4a81 (incorrect -> 0xff42), seq 339285
 Flags [.], cksum 0x4a81 (incorrect -> 0xdc3d), seq 343665
 Flags [.], cksum 0x44cd (incorrect -> 0x1557), seq 348045
 Flags [.], cksum 0x6705 (incorrect -> 0x8ce1), seq 356805
 Flags [.], cksum 0x4a81 (incorrect -> 0x23bb), seq 368485
 Flags [.], cksum 0x44cd (incorrect -> 0xba3c), seq 402065
 Flags [.], cksum 0x44cd (incorrect -> 0x9696), seq 418125
 Flags [.], cksum 0x4a81 (incorrect -> 0xef8c), seq 421045
 Flags [.], cksum 0x4a81 (incorrect -> 0xda29), seq 428345
 Flags [P.], cksum 0x44cd (incorrect -> 0xe4c1), seq 434185
 Flags [.], cksum 0x44cd (incorrect -> 0x91e7), seq 437105
 Flags [.], cksum 0x44cd (incorrect -> 0x9e95), seq 442945
 Flags [.], cksum 0x4a81 (incorrect -> 0x8aaf), seq 445865
 Flags [.], cksum 0x44cd (incorrect -> 0x08ac), seq 454625
 Flags [.], cksum 0x44cd (incorrect -> 0x1815), seq 457545
 Flags [.], cksum 0x44cd (incorrect -> 0xba15), seq 467765
 Flags [.], cksum 0x44cd (incorrect -> 0xc270), seq 470685
 Flags [.], cksum 0x44cd (incorrect -> 0x8612), seq 475065
 Flags [.], cksum 0x44cd (incorrect -> 0xd14c), seq 479445
 Flags [P.], cksum 0x4089 (incorrect -> 0xccaa), seq 482365

When I corrected the checksums on the file you sent me:

06/20-13:47:35.353332  [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] 
[Classification: Misc activity] [Priority: 3] {TCP} 
06/20-13:47:35.560161  [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] 
[Classification: Misc activity] [Priority: 3] {TCP} 
06/20-13:47:35.769947  [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc 
activity] [Priority: 3] {TCP} 
06/20-13:47:35.769947  [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] 
[Classification: Misc activity] [Priority: 3] {TCP} 
06/20-13:47:42.628989  [**] [1:20486:10] FILE-IDENTIFY RTF file magic detected [**] [Classification: Misc activity] 
[Priority: 3] {TCP} 

again, with stripped out IPs

Either way I get alerts, but the second time I got an alert for RTF file magic as well, so it's quite obvious that the 
checksums are having some kind of affect over there.

Try running Snort with "-k none" added to your command line to turn off checksum validation and see if you get an alert.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort only partially alerting Frank Calone (Jun 18)
- Re: Snort only partially alerting James Lay (Jun 18)
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Snort only partially alerting Frank Calone (Jun 26)
    - Re: Snort only partially alerting waldo kitty (Jun 26)
- <Possible follow-ups>
- Snort only partially alerting Frank Calone (Jun 21)
  - Re: Snort only partially alerting Joel Esler (Jun 21)
  - Re: Snort only partially alerting Joel Esler (Jun 21)
    - Re: Snort only partially alerting Joel Esler (Jun 21)
    - Re: Snort only partially alerting Frank Calone (Jun 21)
    - Re: Snort only partially alerting Joel Esler (Jun 21)