Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort only partially alerting

From: Frank Calone <fc10011001 () gmail com>
Date: Fri, 21 Jun 2013 16:08:45 -0400
Joel,
   I have already tried running Snort using the "-k none" option as was
recommended earlier this week.  I still got no alerts.  I tried testing an
exe download and had snort in full packet capture mode.  I looked at the
packets after doing a -dvr just for my PC and there simply is little there
that looks at all like what the TCPDUMP process captured (virtually no
payloads like you see in the pcap file).  would the Checksum problem
explain all the discards you noted?  The "bad chk sum" from the statistics
showed just 326 events for .025%.  That number to me looks very small then
as it is not even 1%.  If you want me to rerun with -k none option again, I
will do that.  Should I do any kind of other logging at the same time or
use other options to help diagnose?

Frank.

On Fri, Jun 21, 2013 at 3:19 PM, Joel Esler <jesler () sourcefire com> wrote:


  On Jun 21, 2013, at 11:04 AM, Joel Esler <jesler () sourcefire com> wrote:

 On Jun 21, 2013, at 11:01 AM, Frank Calone <fc10011001 () gmail com> wrote:

 All Discard:       322566 ( 25.165%)
      Other:           67 (  0.005%)
Bad Chk Sum:          326 (  0.025%)


I'm asking for the pcap, as this concerns me.


Frank, I took a look at the pcap you sent me and these are the alerts I
received when I ran the pcap:

 06/20-13:47:35.353332  [**] [1:16425:15] FILE-IDENTIFY Portable
Executable binary file download request [**] [Classification: Misc
activity] [Priority: 3] {TCP}
06/20-13:47:35.560161  [**] [1:16425:15] FILE-IDENTIFY Portable Executable
binary file download request [**] [Classification: Misc activity]
[Priority: 3] {TCP}
06/20-13:47:35.769947  [**] [1:25514:1] FILE-IDENTIFY Portable Executable
download detected [**] [Classification: Misc activity] [Priority: 3] {TCP}
06/20-13:47:35.769947  [**] [1:25515:1] FILE-IDENTIFY Portable Executable
binary file magic detected [**] [Classification: Misc activity] [Priority:
3] {TCP}

My Snort.conf can be found here:
http://www.snort.org/vrt/snort-conf-configurations/

*I stripped off the IPs at the end*

So when I looked at the pcap I noticed there were a ton of *incorrect*checksums (
*the cut at the end of the statement is intended to strip out IPs)*:

$ tcpdump -r tcpdump.jun20.v3.pcap -vv | grep incorrect | cut -f2 -d:

  Flags [.], cksum 0x44cd (incorrect -> 0x0172), seq 3485
 Flags [.], cksum 0x44cd (incorrect -> 0x104b), seq 19545
 Flags [P.], cksum 0x44cd (incorrect -> 0xc4e0), seq 38525
 Flags [.], cksum 0x4a81 (incorrect -> 0xa44d), seq 41445
 Flags [.], cksum 0x44cd (incorrect -> 0xf3a2), seq 45825
 Flags [.], cksum 0x5035 (incorrect -> 0x647f), seq 48745
 Flags [.], cksum 0x4a81 (incorrect -> 0x0ee7), seq 56045
 Flags [.], cksum 0x44cd (incorrect -> 0xf978), seq 64805
 Flags [.], cksum 0x4a81 (incorrect -> 0x050f), seq 79405
 Flags [.], cksum 0x44cd (incorrect -> 0x2969), seq 83785
 Flags [.], cksum 0x44cd (incorrect -> 0x25d5), seq 92545
 Flags [.], cksum 0x4a81 (incorrect -> 0x2962), seq 95465
 Flags [.], cksum 0x44cd (incorrect -> 0x001d), seq 129045
 Flags [.], cksum 0x44cd (incorrect -> 0x8619), seq 148025
 Flags [.], cksum 0x44cd (incorrect -> 0xc65d), seq 152405
 Flags [.], cksum 0x4a81 (incorrect -> 0x0fc3), seq 174305
 Flags [.], cksum 0x44cd (incorrect -> 0x9a82), seq 180145
 Flags [.], cksum 0x44cd (incorrect -> 0x4cac), seq 183065
 Flags [.], cksum 0x44cd (incorrect -> 0x3fdf), seq 193285
 Flags [.], cksum 0x44cd (incorrect -> 0x31a0), seq 197665
 Flags [.], cksum 0x44cd (incorrect -> 0xc5d8), seq 216645
 Flags [.], cksum 0x4a81 (incorrect -> 0x0fa6), seq 223945
 Flags [.], cksum 0x44cd (incorrect -> 0xf8f4), seq 240005
 Flags [.], cksum 0x44cd (incorrect -> 0xe1ca), seq 261905
 Flags [.], cksum 0x44cd (incorrect -> 0xf3d0), seq 269205
 Flags [.], cksum 0x44cd (incorrect -> 0xdcb6), seq 272125
 Flags [.], cksum 0x4a81 (incorrect -> 0x3841), seq 279425
 Flags [P.], cksum 0x44cd (incorrect -> 0x2c66), seq 283805
 Flags [.], cksum 0x44cd (incorrect -> 0x007f), seq 291105
 Flags [.], cksum 0x44cd (incorrect -> 0x73ea), seq 302785
 Flags [.], cksum 0x44cd (incorrect -> 0xcb65), seq 305705
 Flags [.], cksum 0x44cd (incorrect -> 0xc839), seq 310085
 Flags [.], cksum 0x44cd (incorrect -> 0x2080), seq 323225
 Flags [.], cksum 0x44cd (incorrect -> 0x4970), seq 327605
 Flags [.], cksum 0x44cd (incorrect -> 0x2909), seq 331985
 Flags [.], cksum 0x4a81 (incorrect -> 0xff42), seq 339285
 Flags [.], cksum 0x4a81 (incorrect -> 0xdc3d), seq 343665
 Flags [.], cksum 0x44cd (incorrect -> 0x1557), seq 348045
 Flags [.], cksum 0x6705 (incorrect -> 0x8ce1), seq 356805
 Flags [.], cksum 0x4a81 (incorrect -> 0x23bb), seq 368485
 Flags [.], cksum 0x44cd (incorrect -> 0xba3c), seq 402065
 Flags [.], cksum 0x44cd (incorrect -> 0x9696), seq 418125
 Flags [.], cksum 0x4a81 (incorrect -> 0xef8c), seq 421045
 Flags [.], cksum 0x4a81 (incorrect -> 0xda29), seq 428345
 Flags [P.], cksum 0x44cd (incorrect -> 0xe4c1), seq 434185
 Flags [.], cksum 0x44cd (incorrect -> 0x91e7), seq 437105
 Flags [.], cksum 0x44cd (incorrect -> 0x9e95), seq 442945
 Flags [.], cksum 0x4a81 (incorrect -> 0x8aaf), seq 445865
 Flags [.], cksum 0x44cd (incorrect -> 0x08ac), seq 454625
 Flags [.], cksum 0x44cd (incorrect -> 0x1815), seq 457545
 Flags [.], cksum 0x44cd (incorrect -> 0xba15), seq 467765
 Flags [.], cksum 0x44cd (incorrect -> 0xc270), seq 470685
 Flags [.], cksum 0x44cd (incorrect -> 0x8612), seq 475065
 Flags [.], cksum 0x44cd (incorrect -> 0xd14c), seq 479445
 Flags [P.], cksum 0x4089 (incorrect -> 0xccaa), seq 482365

When I corrected the checksums on the file you sent me:

 06/20-13:47:35.353332  [**] [1:16425:15] FILE-IDENTIFY Portable
Executable binary file download request [**] [Classification: Misc
activity] [Priority: 3] {TCP}
06/20-13:47:35.560161  [**] [1:16425:15] FILE-IDENTIFY Portable Executable
binary file download request [**] [Classification: Misc activity]
[Priority: 3] {TCP}
06/20-13:47:35.769947  [**] [1:25514:1] FILE-IDENTIFY Portable Executable
download detected [**] [Classification: Misc activity] [Priority: 3] {TCP}
06/20-13:47:35.769947  [**] [1:25515:1] FILE-IDENTIFY Portable Executable
binary file magic detected [**] [Classification: Misc activity] [Priority:
3] {TCP}
06/20-13:47:42.628989  [**] [1:20486:10] FILE-IDENTIFY RTF file magic
detected [**] [Classification: Misc activity] [Priority: 3] {TCP}

*again, with stripped out IPs*
*
*
Either way I get alerts, but the second time I got an alert for RTF file
magic as well, so it's quite obvious that the checksums are having some
kind of affect over there.

Try running Snort with "-k none" added to your command line to turn off
checksum validation and see if you get an alert.


--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: