Snort mailing list archives
Re: Snort only partially alerting
From: Frank Calone <fc10011001 () gmail com>
Date: Fri, 21 Jun 2013 16:08:45 -0400
Joel, I have already tried running Snort using the "-k none" option as was recommended earlier this week. I still got no alerts. I tried testing an exe download and had snort in full packet capture mode. I looked at the packets after doing a -dvr just for my PC and there simply is little there that looks at all like what the TCPDUMP process captured (virtually no payloads like you see in the pcap file). would the Checksum problem explain all the discards you noted? The "bad chk sum" from the statistics showed just 326 events for .025%. That number to me looks very small then as it is not even 1%. If you want me to rerun with -k none option again, I will do that. Should I do any kind of other logging at the same time or use other options to help diagnose? Frank. On Fri, Jun 21, 2013 at 3:19 PM, Joel Esler <jesler () sourcefire com> wrote:
On Jun 21, 2013, at 11:04 AM, Joel Esler <jesler () sourcefire com> wrote: On Jun 21, 2013, at 11:01 AM, Frank Calone <fc10011001 () gmail com> wrote: All Discard: 322566 ( 25.165%) Other: 67 ( 0.005%) Bad Chk Sum: 326 ( 0.025%) I'm asking for the pcap, as this concerns me. Frank, I took a look at the pcap you sent me and these are the alerts I received when I ran the pcap: 06/20-13:47:35.353332 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.560161 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP} My Snort.conf can be found here: http://www.snort.org/vrt/snort-conf-configurations/ *I stripped off the IPs at the end* So when I looked at the pcap I noticed there were a ton of *incorrect*checksums ( *the cut at the end of the statement is intended to strip out IPs)*: $ tcpdump -r tcpdump.jun20.v3.pcap -vv | grep incorrect | cut -f2 -d: Flags [.], cksum 0x44cd (incorrect -> 0x0172), seq 3485 Flags [.], cksum 0x44cd (incorrect -> 0x104b), seq 19545 Flags [P.], cksum 0x44cd (incorrect -> 0xc4e0), seq 38525 Flags [.], cksum 0x4a81 (incorrect -> 0xa44d), seq 41445 Flags [.], cksum 0x44cd (incorrect -> 0xf3a2), seq 45825 Flags [.], cksum 0x5035 (incorrect -> 0x647f), seq 48745 Flags [.], cksum 0x4a81 (incorrect -> 0x0ee7), seq 56045 Flags [.], cksum 0x44cd (incorrect -> 0xf978), seq 64805 Flags [.], cksum 0x4a81 (incorrect -> 0x050f), seq 79405 Flags [.], cksum 0x44cd (incorrect -> 0x2969), seq 83785 Flags [.], cksum 0x44cd (incorrect -> 0x25d5), seq 92545 Flags [.], cksum 0x4a81 (incorrect -> 0x2962), seq 95465 Flags [.], cksum 0x44cd (incorrect -> 0x001d), seq 129045 Flags [.], cksum 0x44cd (incorrect -> 0x8619), seq 148025 Flags [.], cksum 0x44cd (incorrect -> 0xc65d), seq 152405 Flags [.], cksum 0x4a81 (incorrect -> 0x0fc3), seq 174305 Flags [.], cksum 0x44cd (incorrect -> 0x9a82), seq 180145 Flags [.], cksum 0x44cd (incorrect -> 0x4cac), seq 183065 Flags [.], cksum 0x44cd (incorrect -> 0x3fdf), seq 193285 Flags [.], cksum 0x44cd (incorrect -> 0x31a0), seq 197665 Flags [.], cksum 0x44cd (incorrect -> 0xc5d8), seq 216645 Flags [.], cksum 0x4a81 (incorrect -> 0x0fa6), seq 223945 Flags [.], cksum 0x44cd (incorrect -> 0xf8f4), seq 240005 Flags [.], cksum 0x44cd (incorrect -> 0xe1ca), seq 261905 Flags [.], cksum 0x44cd (incorrect -> 0xf3d0), seq 269205 Flags [.], cksum 0x44cd (incorrect -> 0xdcb6), seq 272125 Flags [.], cksum 0x4a81 (incorrect -> 0x3841), seq 279425 Flags [P.], cksum 0x44cd (incorrect -> 0x2c66), seq 283805 Flags [.], cksum 0x44cd (incorrect -> 0x007f), seq 291105 Flags [.], cksum 0x44cd (incorrect -> 0x73ea), seq 302785 Flags [.], cksum 0x44cd (incorrect -> 0xcb65), seq 305705 Flags [.], cksum 0x44cd (incorrect -> 0xc839), seq 310085 Flags [.], cksum 0x44cd (incorrect -> 0x2080), seq 323225 Flags [.], cksum 0x44cd (incorrect -> 0x4970), seq 327605 Flags [.], cksum 0x44cd (incorrect -> 0x2909), seq 331985 Flags [.], cksum 0x4a81 (incorrect -> 0xff42), seq 339285 Flags [.], cksum 0x4a81 (incorrect -> 0xdc3d), seq 343665 Flags [.], cksum 0x44cd (incorrect -> 0x1557), seq 348045 Flags [.], cksum 0x6705 (incorrect -> 0x8ce1), seq 356805 Flags [.], cksum 0x4a81 (incorrect -> 0x23bb), seq 368485 Flags [.], cksum 0x44cd (incorrect -> 0xba3c), seq 402065 Flags [.], cksum 0x44cd (incorrect -> 0x9696), seq 418125 Flags [.], cksum 0x4a81 (incorrect -> 0xef8c), seq 421045 Flags [.], cksum 0x4a81 (incorrect -> 0xda29), seq 428345 Flags [P.], cksum 0x44cd (incorrect -> 0xe4c1), seq 434185 Flags [.], cksum 0x44cd (incorrect -> 0x91e7), seq 437105 Flags [.], cksum 0x44cd (incorrect -> 0x9e95), seq 442945 Flags [.], cksum 0x4a81 (incorrect -> 0x8aaf), seq 445865 Flags [.], cksum 0x44cd (incorrect -> 0x08ac), seq 454625 Flags [.], cksum 0x44cd (incorrect -> 0x1815), seq 457545 Flags [.], cksum 0x44cd (incorrect -> 0xba15), seq 467765 Flags [.], cksum 0x44cd (incorrect -> 0xc270), seq 470685 Flags [.], cksum 0x44cd (incorrect -> 0x8612), seq 475065 Flags [.], cksum 0x44cd (incorrect -> 0xd14c), seq 479445 Flags [P.], cksum 0x4089 (incorrect -> 0xccaa), seq 482365 When I corrected the checksums on the file you sent me: 06/20-13:47:35.353332 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.560161 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:35.769947 [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP} 06/20-13:47:42.628989 [**] [1:20486:10] FILE-IDENTIFY RTF file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP} *again, with stripped out IPs* * * Either way I get alerts, but the second time I got an alert for RTF file magic as well, so it's quite obvious that the checksums are having some kind of affect over there. Try running Snort with "-k none" added to your command line to turn off checksum validation and see if you get an alert. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort only partially alerting Frank Calone (Jun 18)
- Re: Snort only partially alerting James Lay (Jun 18)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort only partially alerting Frank Calone (Jun 26)
- Re: Snort only partially alerting waldo kitty (Jun 26)
- Message not available
- Re: Snort only partially alerting James Lay (Jun 18)
- <Possible follow-ups>
- Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)
- Re: Snort only partially alerting Frank Calone (Jun 21)
- Re: Snort only partially alerting Joel Esler (Jun 21)