Snort mailing list archives
Re: Snort only partially alerting
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 21 Jun 2013 15:19:52 -0400
On Jun 21, 2013, at 11:04 AM, Joel Esler <jesler () sourcefire com> wrote:
On Jun 21, 2013, at 11:01 AM, Frank Calone <fc10011001 () gmail com> wrote:All Discard: 322566 ( 25.165%) Other: 67 ( 0.005%) Bad Chk Sum: 326 ( 0.025%)I'm asking for the pcap, as this concerns me.
Frank, I took a look at the pcap you sent me and these are the alerts I received when I ran the pcap: 06/20-13:47:35.353332 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.560161 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP} My Snort.conf can be found here: http://www.snort.org/vrt/snort-conf-configurations/ I stripped off the IPs at the end So when I looked at the pcap I noticed there were a ton of incorrect checksums (the cut at the end of the statement is intended to strip out IPs): $ tcpdump -r tcpdump.jun20.v3.pcap -vv | grep incorrect | cut -f2 -d: Flags [.], cksum 0x44cd (incorrect -> 0x0172), seq 3485 Flags [.], cksum 0x44cd (incorrect -> 0x104b), seq 19545 Flags [P.], cksum 0x44cd (incorrect -> 0xc4e0), seq 38525 Flags [.], cksum 0x4a81 (incorrect -> 0xa44d), seq 41445 Flags [.], cksum 0x44cd (incorrect -> 0xf3a2), seq 45825 Flags [.], cksum 0x5035 (incorrect -> 0x647f), seq 48745 Flags [.], cksum 0x4a81 (incorrect -> 0x0ee7), seq 56045 Flags [.], cksum 0x44cd (incorrect -> 0xf978), seq 64805 Flags [.], cksum 0x4a81 (incorrect -> 0x050f), seq 79405 Flags [.], cksum 0x44cd (incorrect -> 0x2969), seq 83785 Flags [.], cksum 0x44cd (incorrect -> 0x25d5), seq 92545 Flags [.], cksum 0x4a81 (incorrect -> 0x2962), seq 95465 Flags [.], cksum 0x44cd (incorrect -> 0x001d), seq 129045 Flags [.], cksum 0x44cd (incorrect -> 0x8619), seq 148025 Flags [.], cksum 0x44cd (incorrect -> 0xc65d), seq 152405 Flags [.], cksum 0x4a81 (incorrect -> 0x0fc3), seq 174305 Flags [.], cksum 0x44cd (incorrect -> 0x9a82), seq 180145 Flags [.], cksum 0x44cd (incorrect -> 0x4cac), seq 183065 Flags [.], cksum 0x44cd (incorrect -> 0x3fdf), seq 193285 Flags [.], cksum 0x44cd (incorrect -> 0x31a0), seq 197665 Flags [.], cksum 0x44cd (incorrect -> 0xc5d8), seq 216645 Flags [.], cksum 0x4a81 (incorrect -> 0x0fa6), seq 223945 Flags [.], cksum 0x44cd (incorrect -> 0xf8f4), seq 240005 Flags [.], cksum 0x44cd (incorrect -> 0xe1ca), seq 261905 Flags [.], cksum 0x44cd (incorrect -> 0xf3d0), seq 269205 Flags [.], cksum 0x44cd (incorrect -> 0xdcb6), seq 272125 Flags [.], cksum 0x4a81 (incorrect -> 0x3841), seq 279425 Flags [P.], cksum 0x44cd (incorrect -> 0x2c66), seq 283805 Flags [.], cksum 0x44cd (incorrect -> 0x007f), seq 291105 Flags [.], cksum 0x44cd (incorrect -> 0x73ea), seq 302785 Flags [.], cksum 0x44cd (incorrect -> 0xcb65), seq 305705 Flags [.], cksum 0x44cd (incorrect -> 0xc839), seq 310085 Flags [.], cksum 0x44cd (incorrect -> 0x2080), seq 323225 Flags [.], cksum 0x44cd (incorrect -> 0x4970), seq 327605 Flags [.], cksum 0x44cd (incorrect -> 0x2909), seq 331985 Flags [.], cksum 0x4a81 (incorrect -> 0xff42), seq 339285 Flags [.], cksum 0x4a81 (incorrect -> 0xdc3d), seq 343665 Flags [.], cksum 0x44cd (incorrect -> 0x1557), seq 348045 Flags [.], cksum 0x6705 (incorrect -> 0x8ce1), seq 356805 Flags [.], cksum 0x4a81 (incorrect -> 0x23bb), seq 368485 Flags [.], cksum 0x44cd (incorrect -> 0xba3c), seq 402065 Flags [.], cksum 0x44cd (incorrect -> 0x9696), seq 418125 Flags [.], cksum 0x4a81 (incorrect -> 0xef8c), seq 421045 Flags [.], cksum 0x4a81 (incorrect -> 0xda29), seq 428345 Flags [P.], cksum 0x44cd (incorrect -> 0xe4c1), seq 434185 Flags [.], cksum 0x44cd (incorrect -> 0x91e7), seq 437105 Flags [.], cksum 0x44cd (incorrect -> 0x9e95), seq 442945 Flags [.], cksum 0x4a81 (incorrect -> 0x8aaf), seq 445865 Flags [.], cksum 0x44cd (incorrect -> 0x08ac), seq 454625 Flags [.], cksum 0x44cd (incorrect -> 0x1815), seq 457545 Flags [.], cksum 0x44cd (incorrect -> 0xba15), seq 467765 Flags [.], cksum 0x44cd (incorrect -> 0xc270), seq 470685 Flags [.], cksum 0x44cd (incorrect -> 0x8612), seq 475065 Flags [.], cksum 0x44cd (incorrect -> 0xd14c), seq 479445 Flags [P.], cksum 0x4089 (incorrect -> 0xccaa), seq 482365 When I corrected the checksums on the file you sent me: 06/20-13:47:35.353332 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.560161 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:42.628989 [**] [1:20486:10] FILE-IDENTIFY RTF file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP} again, with stripped out IPs Either way I get alerts, but the second time I got an alert for RTF file magic as well, so it's quite obvious that the checksums are having some kind of affect over there. Try running Snort with "-k none" added to your command line to turn off checksum validation and see if you get an alert. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort only partially alerting Frank Calone (Jun 18)
- Re: Snort only partially alerting James Lay (Jun 18)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort only partially alerting Frank Calone (Jun 26)
- Re: Snort only partially alerting waldo kitty (Jun 26)
- Message not available
- Re: Snort only partially alerting James Lay (Jun 18)
- <Possible follow-ups>
- Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)