Snort mailing list archives
Re: Something is wrong with snort logging?
From: fatema bannatwala <fatema.bannatwala () gmail com>
Date: Tue, 8 Nov 2016 09:54:30 -0500
For some reason the message bounced back, here is what I sent (if this email gets thru):
Hi YM, Thanks for some pointers. I think it isn't a size limitation because the alert that had "clntnetid=" was about 20% longer than the one I mentioned in this email. The logs are getting logged in their native unified2 format, and then barnyard pushes it to a postgres DB where the payload is stored in hex. Then we have a script that queries the snort DB and prints out the information in text (i.e converts the hex payload into text) and that's how the alert looks like after querying the DB (the one I used in this email. replacing "\n" with '::~~') I didn't change anything for the HTTP preprocessor, and been using it with all the default settings: http_processor : # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ max_spaces 200 \ small_chunk_length { 10 5 } \ ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 7000 7001 7005 7071 7144 7145 75 10 7770 7777 7778 7779 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 1260 1 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \ normalize_javascript \ apache_whitespace no \ ascii no \ bare_byte no \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ utf_8 no \ u_encode yes \ webroot no On Tue, Nov 8, 2016 at 4:28 AM, Y M <snort () outlook com> wrote:A quick look at this it could be a number of things. Your rule does not specify where in the payload/HTTP request to look for the content "clntnetid=", so the HTTP body could be a few bytes or a large number of bytes. Snort will usually capture 3-5 (maybe?) packets that triggered the rule. The HTTP body may have few bytes that fit into these 3-5 packets or they are further down the HTTP stream. It maybe (again) similar to the log_uri buffer length where in some occeasions get the uri logged and in others it won't due lengthy URIs. - Are you logging in binary format (unified2)? How doe the data look there? Your log looks like it is in Full format. - What are the configurations of your http_processor? While this response more guesses than answers, i hope it puts you in the right direction. YM ------------------------------ *From:* fatema bannatwala <fatema.bannatwala () gmail com> *Sent:* Monday, November 7, 2016 9:45:53 PM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] Something is wrong with snort logging? Hi, I have a snort rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely Successful Generic Phish 2016-09-23"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"clntnetid="; depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030; rev:1;) The following event shouldn't trigger without a "clntnetid" in the string so it looks like some data isn't getting logged into the snort tables: [1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23 2016-11-07 04:26:06.103000-05:00 1.2.3.4:54862 <http://128.4.132.252:54862/> -> 185.8.63.111:80 <http://185.8.63.111/> TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php HTTP/1.1::~~Host: www.anjo.lv::~~Content-Type: application/x-www-form-urlencoded::~~Origin: null::~~Content-Length: 143::~~Connection: keep-alive::~~Accept: text/h tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::~~User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4::~~Accept-Language: en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~ Other event that triggered this alert had "clntnetid" in the data string. Not sure if the events that are triggering this alert are having that string in data and snort is not logging it in database, or something is not correct with the rule that is causing it to trigger for the events NOT having that particular string in the data. Snort version - 2.9.8.3 barnyard version - 2-1.9 pulledpork - 0.7.0 Did anyone knows what might be going on? Thanks, Fatema.
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Something is wrong with snort logging? fatema bannatwala (Nov 07)
- Re: Something is wrong with snort logging? Y M (Nov 08)
- Re: Something is wrong with snort logging? fatema bannatwala (Nov 08)
- Re: Something is wrong with snort logging? fatema bannatwala (Nov 08)
- Re: Something is wrong with snort logging? fatema bannatwala (Nov 08)
- Re: Something is wrong with snort logging? Y M (Nov 08)