Snort mailing list archives
Re: Can't alert on most
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 04 Mar 2014 18:38:12 -0500
On 3/4/2014 2:36 PM, Michael Wisniewski wrote:
Thanks for the response. I might try another version of Snort to see if this fixes the problem.
doubtful since 2.9.6.0 is the latest version ;) the real question is if snort is seeing all the traffic AND if your HOME_NET and EXTERNAL_NET are set correctly for your network... [reading on] looking at your snort.conf, it would appear that they are "ok"... then the question is where did the pcap from and was it recorded with the same IPs as your settings...
My concern is that since it's my first and new install of Snort and it's in a virtual environment, something strange is going on with the packets because 99% of the time, it's something I'm doing wrong and it's not the product thats the problem.
VMs bring a whole other aspect which can cause problems in a lot of situations... we see them with the firewall i support when folks set up their VMs and share one physical NIC for all their interfaces... in this case, it is possible that there is a backdoor path that allows traffic to go around the firewall instead of through it... trying to explain this to folks can be troublesome but when they finally set it up on real iron, they can see things working like they should... that's generally when the bulb lights and they see the errors in the light ;)
I ended up taking a tcpdump on the interface from the box I have snort running on and then completing a nikto scan from an outside IP. Snort didn't identify much.... Basically, the following was found: stream5: Data sent on stream after TCP Reset http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE http_inspect: UNKNOWN METHOD Snort Alert [119:33:1] http_inspect: LONG HEADER I even read the pcap into snort and found the same alerts.
that's to be expected since snort sees the same things that tcpdump has recorded... again, though, there's something in the settings or in the compile that isn't what probably should be... now that i've mentioned the compile, did you compile this snort yourself? what OS are you running it on? what parameters did you use when you compiled it if you did?
I then discovered that virustotal has a handy little addition that you can upload the pcap and it will do Snort analysis on the file and show you the alerts. When I uploaded the pcap to virus total, it lit up as expected with the nikto scan. Just a small sampling of the virustotal results from Snort...
[...]
I would expect that my local installation should flag on the above as well, but it's not.
one would have to compare virustotal's snort.conf and the compile options used...
The tcp small segment sizes, I already "tuned" that so it's not an issue.
ok... i hope my previous was of assistance in that case...
My point was that Snort is actually seeing some stuff, but is missing almost everything important. I'll attach two files below; me reading the pcap in snort and my snort.conf file. If somebody can suggest anything, that would be great.
a quick look showed nothing out of sorts but it was very quick... i may be able to get some time later to study it further but i've been on 48 hour days for a while (up from 36 hour days) and there's still not enough time to get everything done ;) %) :lol: anyway, hopefully someone else will also take a look and possibly find something... you might want to take a look at virustotal's stuff again and see if they offer a way of comparing the confs... i don't know as i've not used that service of their's... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can't alert on most Michael Wisniewski (Mar 03)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most Michael Wisniewski (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Doug Burks (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Gierczak, Stan (Mar 28)
- Re: Can't alert on most waldo kitty (Mar 28)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 05)
- Re: Can't alert on most waldo kitty (Mar 04)