Snort mailing list archives

Previous By Date Next
Previous By Thread Next

missing alerts: Snort does not inspect payload from the machine it's running on?

From: Claus Regelmann <rgc () rgc1 inka de>
Date: Sat, 19 Mar 2016 00:15:02 +0100
Hello,

my snort runs on a small ATOM-based firewall between the internet router and the internal net.

+------------- +                        +----------+
| (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net
+--------------+ ^                    ^ +----------+
    192.168.178.1 +                    |192.168.178.240
                                       +-- snort listen here in passive mode

Test cases:

1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the 
firewall.
The result is OK, two alerts:
--8< ------ >8--
        ID       < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < 
Layer 4 Proto >
#0-(1-90832)    [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        
2016-03-18 03:22:19.993 192.168.178.240:40533   87.106.18.216:4483      TCP
#1-(1-90830)    [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        
2016-03-18 03:17:02.652 10.1.1.5:53410  87.106.18.216:4483      TCP
--8< ------ >8--

2.) The router hosts a DNS-forwarder.
I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host.
But now only the query from the internal host alerts:
--8< ------ >8--
         ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < 
Layer 4 Proto >
#0-(1-90896)    [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org  2016-03-18 22:44:06.68  10.1.1.5:54346  
192.168.178.1:53        UDP
--8< ------ >8--

3.) I wrote a small test rule:
        'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; 
classtype:trojan-activity; sid:1000007; rev:1;)'.
I run 'wget http://...../abcdef01/zzz&apos; on the firewall and the internal host.
Again, only the internal case alerts:
--8< ------ >8--
         ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < 
Layer 4 Proto >
#0-(1-90897)    [snort] RgC: TEST pattern found         2016-03-18 23:06:51.482         10.1.1.5:37733  
193.99.144.85:80        TCP
--8< ------ >8--

The 1st case only inspects header informations.
The last two cases need the payload.

* Has anybody an idea, what's going wrong here ??? *

I run snort version 2.9.7.6, self-compiled from sources (LFS).
My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]'

Thank You
Claus Regelmann


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: