Questions (and bug report?) about tagging

[Martin Olsson <elof () sentor se>]

I'm playing around with the tag option and don't get the expected result.

Machine A (flash - 10.0.0.53) is running FreeBSD 4.6 and snort 1.8.7.
I have setup inetd to listen on port 80 with this script:

#!/bin/sh
echo 'My server on port 80'
read VAR1
echo 'Here is a long listing of files'
ls -l /usr/lib
read VAR2
echo 'Now that should have triggered a couple of packets'
exit 0

I use this rule:
alert tcp any any -> any 80 (msg:"php.cgi access";flags:A+; uricontent:"/php.cgi"; nocase;
classtype:attempted-recon; sid:824; rev:6; tag:host,30,seconds,dst;)

> From machine B (jean - 10.0.0.52) I connect to A and trigger an alert like
this:

---------------------------------------------------------------------
nc 10.0.0.53 80
  < My server on port 80
  > GET /php.cgi
  < Here is a long listing of files
  < drwxr-xr-x  2 root  wheel      512 Jun 11 06:17 aout
  < drwxr-xr-x  3 root  wheel      512 Aug  7 15:02 compat
  < -r--r--r--  1 root  wheel     1417 Jun 11 06:17 crt1.o
    <...several lines are cut...>
  < -r--r--r--  1 root  wheel     6424 Jun 11 06:18 pam_tacplus.so
  < -r--r--r--  1 root  wheel     4828 Jun 11 06:18 pam_unix.so
  > qwertyqwertyqwertyqwertyqwertyqwerty
  < Now that should have triggered a couple of packets
---------------------------------------------------------------------

Strange thing #1:
In my snort-tcpdump-file I get _one_ packet with the payload of both the
"GET /php.cgi" and the "qwertyqwertyqwertyqwertyqwertyqwerty" packets.
I thought snort dumped the packets exactly as is, but apparently that is
not so. This might confuse the person debugging the packets found in the
tcpdump-file since they aren't exact copies of the original packets.

Strange thing #2, and this is the critical one:
The first responses, "Here is a long listing of files" and the file
listing, are _not_ logged. This is not good since this reply is exactly
what I'm interested in and want to be logged.

If I expand the string "qwertyqwertyqwertyqwertyqwertyqwerty" to be
about 20 times longer, at least the message "Now that should have
triggered a couple of packets" is logged, but the first "Here is a long
listing of files" and the file listing are still missing.

After the packet or packets that belong to my port 80 session to machine
A, I also get a lot of logged packets for other activity (ssh) to/from
this machine. This is correct since my rule was set to tag on 'host' with
the 'dst' IP as its criteria.

Strange thing #3 (a bug in snort?):
The first packet in the tcpdump-file, the one matching "/php.cgi", has a
timestamp of 12:16:36. The last packet in the file has a timestamp of
12:24:34. This is far longer than the 30 seconds I specified.

Question #1:
Will the database plugin support logging tagged packets to a database, or
will just the first packet be logged as it currently does?

I run snort like this:
snort -D -q -L snort.tcpdump -l /var/log/snort -c /etc/snort.conf -i ed1

var HOME_NET any
var EXTERNAL_NET $HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS [10.0.0.1/32]
var RULE_PATH /var/snort
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 1521
preprocessor frag2
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 snort.portscan
preprocessor portscan-ignorehosts: $DNS_SERVERS
output database: alert, mysql, user=sentor password=pw dbname=snort host=10.0.0.10 sensor_name=nids1
output alert_fast: snort.alert
include /etc/snort-classification.config
include $RULE_PATH/web-cgi.rules
config alert_with_interface_name
config umask: 022
config checksum_mode: none
config show_year
config stateful


Information:
The output from machine B, running nc and sending "GET /php.cgi" and
"qwertyqwerty.....":
* http://www.mds.mdh.se/~dat94mon/snort/nc_on_machine-B.txt

The tcpdump-file:
* http://www.mds.mdh.se/~dat94mon/snort/snort.tcpdump

The tcpdump-file decoded to hex and ASCII:
* http://www.mds.mdh.se/~dat94mon/snort/tcpdump_from_machine-A_in_hex_ascii.txt

/Martin



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users