Snort mailing list archives
Re: False Snort Alert [119:31:1] triggering
From: "Gaurav Nagare (gnagare)" <gnagare () cisco com>
Date: Wed, 17 Jun 2015 14:25:59 +0000
Hi, Adding added http_methods { GET POST HEAD PUT CONNECT } should stop the false alert for valid HTTP methods. For second case, false alerts being generated for some HTTP fragement, we already have a bug in place. The fix will be provided in future release. Thanks Gaurav -----Original Message----- From: katwell80 () yahoo de [mailto:katwell80 () yahoo de] Sent: Wednesday, June 17, 2015 7:05 PM To: snort-devel () lists sourceforge net Subject: Re: [Snort-devel] False Snort Alert [119:31:1] triggering Hello I didn't have it in the config, it was the default config I got installed and there was no http_methods defined I just added http_methods { GET POST HEAD PUT CONNECT } that hopefully will clean some errors but only fix one of the problem. What remains is the alerting at websocket packets and alerting at fragments like 0000000: 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 64 65 0a Host:.google.de.in my example... Carter Waxman (cwaxman) <cwaxman () cisco com> schrieb am 14:30 Mittwoch, 17.Juni 2015: In your config for preprocessor http_inspect_server, do you have the HEAD method included in the http_methods option? This rule should trigger iff the method is not POST, is not GET, and is not in that list. Thanks, Carter On 6/17/15, 4:27 AM, "katwell80 () yahoo de" <katwell80 () yahoo de> wrote:
Hello My snort triggers bogus alerts from http preprocessor Assigned rule: alert (msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev: 1; metadata: rule-type preproc ;) It claims, that the HTTP-Request contains unknown methods, however it doesn't A packet that triggered this error shows as following: 00000000: 48 45 41 44 20 2F 76 31 31 2F 32 2F 77 69 6E 64 HEAD /v11/2/wind 00000010: 6F 77 73 75 70 64 61 74 65 2F 72 65 64 69 72 2F owsupdate/redir/ 00000020: 76 36 2D 77 69 6E 37 73 70 31 2D 77 75 72 65 64 v6-win7sp1-wured 00000030: 69 72 2E 63 61 62 3F 31 35 30 36 31 37 30 37 35 ir.cab?150617075 00000040: 33 20 48 54 54 50 2F 31 2E 31 0D 0A 43 6F 6E 6E 3 HTTP/1.1..Conn 00000050: 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 00000060: 76 65 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D ve..Accept: */*. 00000070: 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 69 6E .User-Agent: Win 00000080: 64 6F 77 73 2D 55 70 64 61 74 65 2D 41 67 65 6E dows-Update-Agen 00000090: 74 0D 0A 48 6F 73 74 3A 20 64 73 2E 64 6F 77 6E t..Host: ds.down 000000A0: 6C 6F 61 64 2E 77 69 6E 64 6F 77 73 75 70 64 61 load.windowsupda 000000B0: 74 65 2E 63 6F 6D 0D 0A 0D 0A te.com.... This is, by all means, a valid HTTP-Request, isn't it? I wonder what makes the preproc startle here Additionally the alert is triggered on websocket requests, obviously the preprocessor fails to wecognize valid websockets. Furthermore it seems that some of these errors are triggered by fragmented packets, as payloads as such appear in snorby 0000000: 48 6f 73 74 3a 20 67 6f 6f 67 6c 65 2e 64 65 0a Host:.google.de. With these protocol headers IP-Header: | ip_hlen: 5 | ip_csum: 23323 | ip_off: 0 | ip_flags: 0 | ip_ttl: 63 | ip_proto: 6 | ip_ver: 4 | ip_id: 7195 | ip_tos: 0 | ip_len: 68 | TCP-Header: | tcp_flags: 24 | tcp_win: 29200 | tcp_ack: 2362165352 | tcp_seq: 1888033555 | tcp_csum: 12589 | tcp_urp: 0 | tcp_res: 0 | tcp_off: 8 | tcp_dport: 80 | tcp_sport: 56953 | I think, this is not a valid HTTP but a fragment of a valid longer request. Now it would be great to have a rule that detects violation of the HTTP-protocol as malicious code could be used in an attack or DoS, however the amount of false positives this rule raises makes it completely useless. Configuration: Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort-br1.conf" PortVar 'HTTP_PORTS' defined : [ 80:81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180:8181 8243 8280 8888 9090:9091 9443 9999 11371 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'FILE_DATA_PORTS' defined : [ 20:21 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ Log directory = /var/log/snort/br1 WARNING: ip4 normalizations disabled because not inline. WARNING: tcp normalizations disabled because not inline. WARNING: icmp4 normalizations disabled because not inline. WARNING: ip6 normalizations disabled because not inline. WARNING: icmp6 normalizations disabled because not inline. Frag3 global config: Max frags: 65536 Fragment memory cap: 4194304 bytes Frag3 engine config: Bound Address: default Target-based policy: WINDOWS Fragment timeout: 180 seconds Fragment min_ttl: 1 Fragment Anomalies: Alert Overlap Limit: 10 Min fragment Length: 100 Max Expected Streams: 768 Stream global config: Track TCP sessions: ACTIVE Max TCP sessions: 262144 TCP cache pruning timeout: 30 seconds TCP cache nominal timeout: 3600 seconds Memcap (for reassembly packet storage): 8388608 Track UDP sessions: ACTIVE Max UDP sessions: 131072 UDP cache pruning timeout: 30 seconds UDP cache nominal timeout: 180 seconds Track ICMP sessions: INACTIVE Track IP sessions: INACTIVE Log info if session memory consumption exceeds 1048576 Send up to 2 active responses Wait at least 5 seconds between responses Protocol Aware Flushing: ACTIVE Maximum Flush Point: 16384 Stream TCP Policy config: Bound Address: default Reassembly Policy: WINDOWS Timeout: 180 seconds Limit on TCP Overlaps: 10 Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Options: Require 3-Way Handshake: YES 3-Way Handshake Timeout: 180 Detect Anomalies: YES Reassembly Ports: 21 client (Footprint) 22 client (Footprint) 23 client (Footprint) 25 client (Footprint) 42 client (Footprint) 53 client (Footprint) 79 client (Footprint) 80 client (Footprint) server (Footprint) 81 client (Footprint) server (Footprint) 109 client (Footprint) 110 client (Footprint) 111 client (Footprint) 113 client (Footprint) 119 client (Footprint) 135 client (Footprint) 136 client (Footprint) 137 client (Footprint) 139 client (Footprint) 143 client (Footprint) 161 client (Footprint) additional ports configured but not printed. Stream UDP Policy config: Timeout: 180 seconds HttpInspect Config: GLOBAL CONFIG Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 Memcap used for logging URI and Hostname: 150994944 Max Gzip Memory: 838860 Max Gzip Sessions: 2723 Gzip Compress Depth: 65535 Gzip Decompress Depth: 65535 DEFAULT SERVER CONFIG: Server profile: All Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 Server Flow Depth: 0 Client Flow Depth: 0 Max Chunk Length: 500000 Max Header Field Length: 1500 Max Number Header Fields: 100 Max Number of WhiteSpaces allowed with header folding: 200 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 1000 Only inspect URI: NO Normalize HTTP Headers: NO Inspect HTTP Cookies: YES Inspect HTTP Responses: YES Extract Gzip from responses: YES Decompress response files: Unlimited decompression of gzip data from responses: YES Normalize Javascripts in HTTP Responses: NO Normalize HTTP Cookies: NO Enable XFF and True Client IP: NO Log HTTP URI data: NO Log HTTP Hostname data: NO Extended ASCII code support in URI: NO Ascii: YES alert: NO Double Decoding: YES alert: NO %U Encoding: YES alert: YES Bare Byte: YES alert: NO UTF 8: YES alert: NO IIS Unicode: YES alert: NO Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: NO Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 alert_fragments: INACTIVE alert_large_fragments: INACTIVE alert_incomplete: INACTIVE alert_multiple_requests: INACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 21598 Dumping dynamic rules... Finished dumping dynamic rules. Snort exiting root@sensor:~# snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.7.3 GRE (Build 217) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 -------------------------------------------------------------------------- ---- _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- False Snort Alert [119:31:1] triggering katwell80 (Jun 17)
- Re: False Snort Alert [119:31:1] triggering Carter Waxman (cwaxman) (Jun 17)
- Re: False Snort Alert [119:31:1] triggering katwell80 (Jun 17)
- Re: False Snort Alert [119:31:1] triggering Gaurav Nagare (gnagare) (Jun 17)
- Re: False Snort Alert [119:31:1] triggering katwell80 (Jun 17)
- Re: False Snort Alert [119:31:1] triggering Carter Waxman (cwaxman) (Jun 17)