Snort mailing list archives
Re: Can't alert on most
From: Doug Burks <doug.burks () gmail com>
Date: Wed, 5 Mar 2014 07:57:14 -0500
Hi Michael, You might consider installing Security Onion (based on Ubuntu 12.04 and includes Snort 2.9.5.6) in another VM and comparing it to your existing Ubuntu VM. http://securityonion.net On Wed, Mar 5, 2014 at 7:45 AM, Michael Wisniewski <wiz561 () gmail com> wrote:
Please see quoted text below for answers... On Tue, Mar 4, 2014 at 5:38 PM, waldo kitty <wkitty42 () windstream net> wrote:On 3/4/2014 2:36 PM, Michael Wisniewski wrote:Thanks for the response. I might try another version of Snort to see if this fixes the problem.doubtful since 2.9.6.0 is the latest version ;) the real question is if snort is seeing all the traffic AND if your HOME_NET and EXTERNAL_NET are set correctly for your network... [reading on] looking at your snort.conf, it would appear that they are "ok"... then the question is where did the pcap from and was it recorded with the same IPs as your settings...The pcap was taken in the virtual machine that snort is running on. Basically, same machine and name NIC that snort captures traffic on.My concern is that since it's my first and new install of Snort and it's in a virtual environment, something strange is going on with the packets because 99% of the time, it's something I'm doing wrong and it's not the product thats the problem.VMs bring a whole other aspect which can cause problems in a lot of situations... we see them with the firewall i support when folks set up their VMs and share one physical NIC for all their interfaces... in this case, it is possible that there is a backdoor path that allows traffic to go around the firewall instead of through it... trying to explain this to folks can be troublesome but when they finally set it up on real iron, they can see things working like they should... that's generally when the bulb lights and they see the errors in the light ;)I totally understand. This is why I originally wrote here and decided to take the pcap. I was afraid that traffic may not be getting seen by the snort box. I figured that if I took the pcap and had somebody else check it, I could narrow down if it's the virtual machine or if it's snort. Since others have shows the proper snort alerts on my pcap, I am guessing it's something to do with the snort config. More on this later...I ended up taking a tcpdump on the interface from the box I have snort running on and then completing a nikto scan from an outside IP. Snort didn't identify much.... Basically, the following was found: stream5: Data sent on stream after TCP Reset http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE http_inspect: UNKNOWN METHOD Snort Alert [119:33:1] http_inspect: LONG HEADER I even read the pcap into snort and found the same alerts.that's to be expected since snort sees the same things that tcpdump has recorded... again, though, there's something in the settings or in the compile that isn't what probably should be... now that i've mentioned the compile, did you compile this snort yourself? what OS are you running it on? what parameters did you use when you compiled it if you did?I did compile Snort myself. I just used './configure' without any options. I'm running it on Ubuntu 12.04 x86_64 with everything patched and up to date. I tried the snort version in the Ubuntu repo, but it's a little outdated...and I want to say I can't even get the latest rules for it anymore. [...]My point was that Snort is actually seeing some stuff, but is missing almost everything important. I'll attach two files below; me reading the pcap in snort and my snort.conf file. If somebody can suggest anything, that would be great.a quick look showed nothing out of sorts but it was very quick... i may be able to get some time later to study it further but i've been on 48 hour days for a while (up from 36 hour days) and there's still not enough time to get everything done ;) %) :lol: anyway, hopefully someone else will also take a look and possibly find something... you might want to take a look at virustotal's stuff again and see if they offer a way of comparing the confs... i don't know as i've not used that service of their's...Any light that might be shed on this problem would be great. I have a feeling that I'm getting closer trying to solve it. I am thinking that somehow pulledpork isn't putting all the rules inside of snort. With the assistance of another member on the list, I took a closer look at the pulledpork responses and noticed that only 6k alerts are getting put in while 15k are disabled. For whatever reason, pulledpork isn't enabling rules when I was running it. I edited the /etc/snort/rules/snort.rules file and uncommented out all the disabled rules. Snort now sees ~20k rules enabled, but it's still not flagging them. This is making me wonder if the rules are disabled somewhere else, or if Snort may not be able to use them because a prerequisite decoder can't be found. Thanks all for the help and assistance.-- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can't alert on most Michael Wisniewski (Mar 03)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most Michael Wisniewski (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Doug Burks (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Gierczak, Stan (Mar 28)
- Re: Can't alert on most waldo kitty (Mar 28)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 05)
- Re: Can't alert on most waldo kitty (Mar 04)