Snort mailing list archives
missing alerts: Snort does not inspect payload from the machine it's running on?
From: Claus Regelmann <rgc () rgc1 inka de>
Date: Sat, 19 Mar 2016 00:15:02 +0100
Hello, my snort runs on a small ATOM-based firewall between the internet router and the internal net. +------------- + +----------+ | (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net +--------------+ ^ ^ +----------+ 192.168.178.1 + |192.168.178.240 +-- snort listen here in passive mode Test cases: 1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall. The result is OK, two alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90832) [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 2016-03-18 03:22:19.993 192.168.178.240:40533 87.106.18.216:4483 TCP #1-(1-90830) [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 2016-03-18 03:17:02.652 10.1.1.5:53410 87.106.18.216:4483 TCP --8< ------ >8-- 2.) The router hosts a DNS-forwarder. I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host. But now only the query from the internal host alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90896) [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org 2016-03-18 22:44:06.68 10.1.1.5:54346 192.168.178.1:53 UDP --8< ------ >8-- 3.) I wrote a small test rule: 'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'. I run 'wget http://...../abcdef01/zzz' on the firewall and the internal host. Again, only the internal case alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90897) [snort] RgC: TEST pattern found 2016-03-18 23:06:51.482 10.1.1.5:37733 193.99.144.85:80 TCP --8< ------ >8-- The 1st case only inspects header informations. The last two cases need the payload. * Has anybody an idea, what's going wrong here ??? * I run snort version 2.9.7.6, self-compiled from sources (LFS). My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]' Thank You Claus Regelmann ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- missing alerts: Snort does not inspect payload from the machine it's running on? Claus Regelmann (Mar 18)