Re: Can't alert on most

[waldo kitty <wkitty42 () windstream net>]

On 3/4/2014 2:36 PM, Michael Wisniewski wrote:
> Thanks for the response.  I might try another version of Snort to see if this
> fixes the problem.

doubtful since 2.9.6.0 is the latest version ;)

the real question is if snort is seeing all the traffic AND if your HOME_NET and 
EXTERNAL_NET are set correctly for your network... [reading on] looking at your 
snort.conf, it would appear that they are "ok"...

then the question is where did the pcap from and was it recorded with the same 
IPs as your settings...

> My concern is that since it's my first and new install of
> Snort and it's in a virtual environment, something strange is going on with the
> packets because 99% of the time, it's something I'm doing wrong and it's not the
> product thats the problem.

VMs bring a whole other aspect which can cause problems in a lot of 
situations... we see them with the firewall i support when folks set up their 
VMs and share one physical NIC for all their interfaces... in this case, it is 
possible that there is a backdoor path that allows traffic to go around the 
firewall instead of through it... trying to explain this to folks can be 
troublesome but when they finally set it up on real iron, they can see things 
working like they should... that's generally when the bulb lights and they see 
the errors in the light ;)

> I ended up taking a tcpdump on the interface from the box I have snort running
> on and then completing a nikto scan from an outside IP.  Snort didn't identify
> much....  Basically, the following was found:
>
> stream5: Data sent on stream after TCP Reset
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
> http_inspect: UNKNOWN METHOD
> Snort Alert [119:33:1]
> http_inspect: LONG HEADER
>
> I even read the pcap into snort and found the same alerts.

that's to be expected since snort sees the same things that tcpdump has 
recorded... again, though, there's something in the settings or in the compile 
that isn't what probably should be...

now that i've mentioned the compile, did you compile this snort yourself? what 
OS are you running it on? what parameters did you use when you compiled it if 
you did?

> I then discovered that virustotal has a handy little addition that you can
> upload the pcap and it will do Snort analysis on the file and show you the
> alerts.  When I uploaded the pcap to virus total, it lit up as expected with the
> nikto scan.  Just a small sampling of the virustotal results from Snort...
[...]
> I would expect that my local installation should flag on the above as well, but
> it's not.

one would have to compare virustotal's snort.conf and the compile options used...

> The tcp small segment sizes, I already "tuned" that so it's not an issue.

ok... i hope my previous was of assistance in that case...

> My point was that Snort is actually seeing some stuff, but is missing almost
> everything important.  I'll attach two files below; me reading the pcap in
> snort and my snort.conf file.  If somebody can suggest anything, that would
> be great.

a quick look showed nothing out of sorts but it was very quick... i may be able 
to get some time later to study it further but i've been on 48 hour days for a 
while (up from 36 hour days) and there's still not enough time to get everything 
done ;) %) :lol:

anyway, hopefully someone else will also take a look and possibly find 
something... you might want to take a look at virustotal's stuff again and see 
if they offer a way of comparing the confs... i don't know as i've not used that 
service of their's...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!