Re: Can't alert on most

["Gierczak, Stan" <SGierczak () presencehealth org>]

What installation guide did you use?  I am working on installing the same version, but only found the guide for 2.9.2.3 
on Ubuntu?


From: Michael Wisniewski [mailto:wiz561 () gmail com]
Sent: Wednesday, March 05, 2014 8:48 AM
To: waldo kitty
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Can't alert on most

Well, I finally figured out what was going on with my configs.  Hopefully my stupidity will help others.  :)

I think part of the problem was that the default installation of snort and/or pulledpork doesn't enable most alerts.  I 
had to edit the rule files and uncomment (#) most of the rules to get snort to recognize them.  You can check this when 
starting it up and seeing how many rules are active.  Stock rules are about 6k.  If you enable all rules, it's a little 
over 20k.
The other error I made was where the snort sensor was located.  My internal network is 10.0.1.0/24<http://10.0.1.0/24>. 
 I have snort setup like:
cable modem --> switch --> gateway/router --> snort box
On the switch, I setup a mirror port.  The "home network" out here is routable space, NOT 10 net.  Snort was thinking 
that the sensor was installed on 10-net space while it wasn't.
Hopefully this will help somebody else out and save a couple of days of headaches.  The home_net variable is where the 
snort sensor is located, not where the snort sensor is running on....if that makes any sense.

Thanks all for all the time and help with this.  I'm glad I was finally able to get it figured out!

On Wed, Mar 5, 2014 at 6:45 AM, Michael Wisniewski <wiz561 () gmail com<mailto:wiz561 () gmail com>> wrote:
Please see quoted text below for answers...

On Tue, Mar 4, 2014 at 5:38 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote:
On 3/4/2014 2:36 PM, Michael Wisniewski wrote:
> Thanks for the response.  I might try another version of Snort to see if this
> fixes the problem.
doubtful since 2.9.6.0 is the latest version ;)

the real question is if snort is seeing all the traffic AND if your HOME_NET and
EXTERNAL_NET are set correctly for your network... [reading on] looking at your
snort.conf, it would appear that they are "ok"...

then the question is where did the pcap from and was it recorded with the same
IPs as your settings...

The pcap was taken in the virtual machine that snort is running on.  Basically, same machine and name NIC that snort 
captures traffic on.


> My concern is that since it's my first and new install of
> Snort and it's in a virtual environment, something strange is going on with the
> packets because 99% of the time, it's something I'm doing wrong and it's not the
> product thats the problem.
VMs bring a whole other aspect which can cause problems in a lot of
situations... we see them with the firewall i support when folks set up their
VMs and share one physical NIC for all their interfaces... in this case, it is
possible that there is a backdoor path that allows traffic to go around the
firewall instead of through it... trying to explain this to folks can be
troublesome but when they finally set it up on real iron, they can see things
working like they should... that's generally when the bulb lights and they see
the errors in the light ;)

I totally understand.  This is why I originally wrote here and decided to take the pcap.  I was afraid that traffic may 
not be getting seen by the snort box.  I figured that if I took the pcap and had somebody else check it, I could narrow 
down if it's the virtual machine or if it's snort.  Since others have shows the proper snort alerts on my pcap, I am 
guessing it's something to do with the snort config.  More on this later...


> I ended up taking a tcpdump on the interface from the box I have snort running
> on and then completing a nikto scan from an outside IP.  Snort didn't identify
> much....  Basically, the following was found:
>
> stream5: Data sent on stream after TCP Reset
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
> http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
> http_inspect: UNKNOWN METHOD
> Snort Alert [119:33:1]
> http_inspect: LONG HEADER
>
> I even read the pcap into snort and found the same alerts.
that's to be expected since snort sees the same things that tcpdump has
recorded... again, though, there's something in the settings or in the compile
that isn't what probably should be...

now that i've mentioned the compile, did you compile this snort yourself? what
OS are you running it on? what parameters did you use when you compiled it if
you did?

I did compile Snort myself.  I just used './configure' without any options.  I'm running it on Ubuntu 12.04 x86_64 with 
everything patched and up to date.  I tried the snort version in the Ubuntu repo, but it's a little outdated...and I 
want to say I can't even get the latest rules for it anymore.

[...]
> My point was that Snort is actually seeing some stuff, but is missing almost
> everything important.  I'll attach two files below; me reading the pcap in
> snort and my snort.conf file.  If somebody can suggest anything, that would
> be great.
a quick look showed nothing out of sorts but it was very quick... i may be able
to get some time later to study it further but i've been on 48 hour days for a
while (up from 36 hour days) and there's still not enough time to get everything
done ;) %) :lol:

anyway, hopefully someone else will also take a look and possibly find
something... you might want to take a look at virustotal's stuff again and see
if they offer a way of comparing the confs... i don't know as i've not used that
service of their's...


Any light that might be shed on this problem would be great.  I have a feeling that I'm getting closer trying to solve 
it.  I am thinking that somehow pulledpork isn't putting all the rules inside of snort.  With the assistance of another 
member on the list, I took a closer look at the pulledpork responses and noticed that only 6k alerts are getting put in 
while 15k are disabled.  For whatever reason, pulledpork isn't enabling rules when I was running it.  I edited the 
/etc/snort/rules/snort.rules file and uncommented out all the disabled rules.  Snort now sees ~20k rules enabled, but 
it's still not flagging them.
This is making me wonder if the rules are disabled somewhere else, or if Snort may not be able to use them because a 
prerequisite decoder can't be found.

Thanks all for the help and assistance.





--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!