Snort mailing list archives
Re: Snort-users Digest, Vol 129, Issue 18
From: Porncheewa PomHom <porncheewa () gmail com>
Date: Sat, 11 Feb 2017 17:20:40 +0700
I don,t need snort เมื่อ วันศุกร์ที่ 10 กุมภาพันธ์ ค.ศ. 2017, < snort-users-request () lists sourceforge net> เขียนว่า:
Send Snort-users mailing list submissions to snort-users () lists sourceforge net <javascript:;> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net <javascript:;> You can reach the person managing the list at snort-users-owner () lists sourceforge net <javascript:;> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: http_inspect missing requests (Russ) 2. Re: (no subject) (wkitty42 () windstream net <javascript:;>) 3. Re: (no subject) (Russ) 4. Re: (no subject) (wkitty42 () windstream net <javascript:;>) 5. Re: (no subject) (Joel Esler (jesler)) ---------------------------------------------------------------------- Message: 1 Date: Thu, 9 Feb 2017 11:13:01 -0500 From: Russ <rucombs () cisco com <javascript:;>> Subject: Re: [Snort-users] http_inspect missing requests To: Felix Erlacher <felix.erlacher () uibk ac at <javascript:;>>, "snort-users () lists sourceforge net <javascript:;>" <snort-users () lists sourceforge net <javascript:;>> Message-ID: <292077f4-4e43-5c7a-e47b-fb6733319570 () cisco com <javascript:;>Content-Type: text/plain; charset=windows-1252; format=flowed The raw and rebuilt packets undergo detection. Check your shutdown stats under "Limits" for each run. You may be hitting the match limit. See doc/README.counts for details. On 2/9/17 5:06 AM, Felix Erlacher wrote:Thanks for the insightful and clarifying answer. Does a similar behavior apply to the rule application engine as well? As explained in my last mail, http_inspect states for both traces 10 GET requests. So I assume that is what the application engine analyzes. But the number of alerts differs, although the payload, and thus the searched pattern in the http_header, is the same in both traces. Thanks and greets felix On 08/02/17 18:11, Russ wrote:The http_inspect preprocessor has evolved over the years to become more stateful but retains some stateless processing which your new pcaps are exercising since they lack a full TCP session with 3-way handshake. Processing the bald data segments can lead to bogus results along with diminished performance. Consider the pcap with 10 fully overlapping segments. Snort processed them all. Within the context of a normal session, only one would be processed depending upon policy because only one would be delivered to the receiving TCP user. In IDS mode Snort will handle the overlaps according to configured policy whereas in IPS mode Snort will ensure first wins and normalize subsequent overlaps to match. So, normal traffic with a proper session will be processed more efficiently and more accurately. If you are curious, try crafting a full session for these two cases and see how it goes. If you are extra curious, try out Snort++ instead which has a completely new http_inspect. On 2/8/17 6:39 AM, Felix Erlacher wrote:Thanks for the help. All GET requests where processed in inline mode like you proposed. Is this because in IDS mode Snort works in post-ack inspection mode and in inline (IPS) mode it does pre-ack inspection? I couldn't find any information about this in the Snort manual. But there are still some questions regarding this trace. You say that if packets are not ACKed, Snort will not look at them (if not in IPS mode). But if I put the same TCP payload in one segment (10GETonePanon.pcap) and feed it to Snort, the http_inspect stats show me 10 GET requests. But according to your last mail it shouldn't because the segment is not ACKed. (Again, I used the standard snort.conf from 2.9.9.0 in IDS mode withthe-k none switch) The same holds if I put every GET request in an individual packet, resulting in 10 TCP segments (10indivGETanon.pcap). http_inspect tells me it processed 10 GET requests altough none of the 10 packets was ACKed. (They even have all the same SEQ numbers.) There is one difference betwee the two traces, though. The rule withsid2013504 from the Emerging Threats ruleset looks for content:"APT-HTTP|2F|" in the http_header. It fires 5 alerts for the 10GETonePanon.pcap trace but 10 alerts forthe10indivGETanon.pcap trace. The payload can be found 10 times in bothtraces.It would be great if someone could give me some insights on this. greets felix On 03/02/17 23:06, Russ wrote:The final 3 GET requests were not acknowledged by the TCP server andsoweren't processed. If you run in IPS mode you will see them get them processed. To enable IPS mode, make sure you have preprocessor normalize_tcp: ips in your conf and add these args to your command line: --daq dump --daq-var load-mode=read-file -Q The dump DAQ allows you to test inline mode with pcaps (it willcreate anew pcap with only the packets allowed to pass); -Q enables inlinemode;and normalize_tcp: ips enables stream normalization. On 2/3/17 1:27 PM, Felix Erlacher wrote:Hi all, I have a pcap trace containing HTTP traffic. I began to wonderbecauseSnort did not trigger all alerts I was expecting. So I extracted theTCPstream in question and looked at it more closely. My impression isthatfor some reason the HTTP preprocessor is not parsing all GETrequests.If I load this trace in Wireshark, than "follow TCP stream", itshows me10 GET requests. If I use ngrep to manually inspect the trace, I count 10 GETrequests aswell. But the HTTP Inspect preprocessor of Snort tells me it found only 7GETrequests?! What could possibly be the problem? Some peculiarities of the trace: Heavy usage of HTTP/1.1 pipelining While Wireshark and the Snort DAQ tell me they processed 13 packets, HTTP inspect tells me it processed 17 packets. This trace contains checksum errors and a tcp RST in the last packet. I am using Snort 2.9.9.0 with snort.conf from tarball and "-k none"switch.I would be happy to share the trace, but for privacy reasons I don't want to do that on the list. In case someone wants to take a look,justdrop me a mail. thanks and greetings ------------------------------------------------------------------------------Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:;> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all thelatest Snort news! ------------------------------ Message: 2 Date: Thu, 9 Feb 2017 12:21:30 -0500 From: wkitty42 () windstream net <javascript:;> Subject: Re: [Snort-users] (no subject) To: snort-users () lists sourceforge net <javascript:;> Message-ID: <174d993d-9181-6883-df59-6cd596751bf3 () windstream net <javascript:;>> Content-Type: text/plain; charset=utf-8; format=flowed On 02/08/2017 10:42 PM, Al Lewis (allewi) wrote:Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersi wonder sometimes if there should be a bot to react to these and post these responses back to the users... but then i think about how that might be abused and say, "nah"... the real interesting question is why, all of a sudden, are all these requests coming in? what has happened to cause this where folks just can't or don't seem to know how to do it themselves? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 3 Date: Thu, 9 Feb 2017 13:21:56 -0500 From: Russ <rucombs () cisco com <javascript:;>> Subject: Re: [Snort-users] (no subject) To: wkitty42 () windstream net <javascript:;>, snort-users () lists sourceforge net <javascript:;> Message-ID: <8f2e850b-703c-8c37-c111-8b74fb65dc31 () cisco com <javascript:;>Content-Type: text/plain; charset=windows-1252; format=flowed Seems like they must be trolling us. :) My recommendation is to filter out / ignore all such messages. If they really want to unsubscribe, they will figure it out. Do not reply! On 2/9/17 12:21 PM, wkitty42 () windstream net <javascript:;> wrote:On 02/08/2017 10:42 PM, Al Lewis (allewi) wrote:Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersi wonder sometimes if there should be a bot to react to these and posttheseresponses back to the users... but then i think about how that might beabusedand say, "nah"... the real interesting question is why, all of a sudden, are all theserequestscoming in? what has happened to cause this where folks just can't ordon't seemto know how to do it themselves?------------------------------ Message: 4 Date: Thu, 9 Feb 2017 13:43:52 -0500 From: wkitty42 () windstream net <javascript:;> Subject: Re: [Snort-users] (no subject) To: snort-users () lists sourceforge net <javascript:;> Message-ID: <e5258794-954c-5dde-2963-b1f34aa22747 () windstream net <javascript:;>> Content-Type: text/plain; charset=utf-8; format=flowed On 02/09/2017 01:21 PM, Russ wrote:Seems like they must be trolling us. :) My recommendation is to filter out / ignore all such messages. If they really want to unsubscribe, they will figure it out. Do not reply!hahaha, i hear ya! :lol: however, i'm on some 15 or 20 mailing lists and they are all being hit by these "unsubscribe me" requests... it is hard to imagine that this is some new vector being used to try to infest systems but...On 2/9/17 12:21 PM, wkitty42 () windstream net <javascript:;> wrote:On 02/08/2017 10:42 PM, Al Lewis (allewi) wrote:Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersi wonder sometimes if there should be a bot to react to these and posttheseresponses back to the users... but then i think about how that might beabusedand say, "nah"... the real interesting question is why, all of a sudden, are all theserequestscoming in? what has happened to cause this where folks just can't ordon't seemto know how to do it themselves?-- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------ Message: 5 Date: Fri, 10 Feb 2017 00:53:43 +0000 From: "Joel Esler (jesler)" <jesler () cisco com <javascript:;>> Subject: Re: [Snort-users] (no subject) To: Johnny Green <johnny.b.green1 () gmail com <javascript:;>> Cc: "Snort-users () lists sourceforge net <javascript:;>" <Snort-users () lists sourceforge net <javascript:;>> Message-ID: <25EF2EB8-0389-41CF-99EE-308ACF0C3ED0 () cisco com <javascript:;>Content-Type: text/plain; charset="utf-8" 2000+ new users in the last month? People don?t know how to read footers? -- Joel Esler | Talos: Manager | jesler () cisco com <javascript:;><mailto: jesler () cisco com <javascript:;>> On Feb 8, 2017, at 9:48 PM, Johnny Green <johnny.b.green1 () gmail com <javascript:;><mailto:johnny.b.green1 () gmail com <javascript:;>>> wrote: Remove from list ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:;><mailto: Snort-users () lists sourceforge net <javascript:;>> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:;> https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 129, Issue 18 ********************************************
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 129, Issue 18 Porncheewa PomHom (Feb 11)
- Re: Snort-users Digest, Vol 129, Issue 18 wkitty42 (Feb 11)