Snort mailing list archives

RE: snort warnings

From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
Date: Wed, 6 Aug 2003 11:48:08 -0700

So here is my guess of what is going on:

snort logs unique signatures it sees to the signatures tables.  When logging
an alert, it checks the signature table to see if the signature has been
alerted previously by means of the query

SELECT sig_id FROM signature WHERE sig_name = '(signame)' AND  sig_rev =
(sig_rev) AND sig_sid = (sig_sid)

The variables of which can be gotten from the rules files triggering an
alert.

If it's already there snort can use the existing record, if not snort writes
a new one.  This could explain the errors knox3 is writing to stdout; first
it finds more than 0 or 1 records for the query and gives 'returned more
than one result', then it tries to write a new signature to the table and
gets 'Problem inserting a new signature'  (In mysql it appears that sig_name
and sig_class_id form a multi-column index.  In postgress, (which I am not
using nor familiar with) there appears to be an index both on sig_name and
sig_class_id.  Perhaps the problem being referred to is a duplicate value
for that/ those  indexes).

If that is true, then what has happened such that so many entries exist in
the signature table for each signature?  

Would it be possible to try to fix this problem (symptom?) by dumping the
duplicate entries from the signature table?  

I think we need input from more experienced snorters (but in the absence of
that, I suppose I would create a new test snort db on your database machine
and have knox3 log to it, and go from there).

Benjamin Everist

-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com]
Sent: Wednesday, August 06, 2003 10:31 AM
To: Everist, Benjamin S. (NASWI)
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] snort warnings


it is getting started in Daemon mode I just see the data go by.

It might be unrelated to my current problem, and I only bring it up
because it might be related.  but when I run 

###paste good command###
snort -o -b -l /var/www/htdocs/snort/xl1 -d -D -i xl1 -c
/usr/local/share/snort/xl1.conf not host '(10.0.0.2)'
########################

I don't get any output, it jsut drops me down a line, but when I run

###paste bad command###
snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c
/usr/local/share/snort/fxp0.conf not host '(192.233.100.78)'
#######################

I get this:

###Paste output from bad command###
# Aug  6 10:05:33 knox3 snort: Initializing daemon mode 
Aug  6 10:05:33 knox3 snort: PID path stat checked out ok, PID path set
to
/var/

run/ 
Aug  6 10:05:33 knox3 snort: Writing PID "25358" to file
"/var/run//snort_fxp1.p

id" 
Aug  6 10:05:33 knox3 snort: http_decode arguments: 
Aug  6 10:05:33 knox3 snort:     Unicode decoding 
Aug  6 10:05:33 knox3 snort:     IIS alternate Unicode decoding 
Aug  6 10:05:33 knox3 snort:     IIS double encoding vuln 
Aug  6 10:05:33 knox3 snort:     Flip backslash to slash 
Aug  6 10:05:33 knox3 snort:     Include additional whitespace
separators 
Aug  6 10:05:33 knox3 snort:     Ports to decode http on: 80  
Aug  6 10:05:33 knox3 snort: rpc_decode arguments: 
Aug  6 10:05:33 knox3 snort:     Ports to decode RPC on: 111 32771  
Aug  6 10:05:33 knox3 snort:     alert_fragments: INACTIVE 
Aug  6 10:05:33 knox3 snort:     alert_large_fragments: ACTIVE 
Aug  6 10:05:33 knox3 snort:     alert_incomplete: ACTIVE 
Aug  6 10:05:33 knox3 snort:     alert_multiple_requests: ACTIVE 
Aug  6 10:05:33 knox3 snort: telnet_decode arguments: 
Aug  6 10:05:33 knox3 snort:     Ports to decode telnet on: 21 23 25
119  

Aug  6 10:05:35 knox3 snort: Snort initialization completed successfully
#################################

It does fire up in Daemon mode, just not quietly like the other one
does.

I'm thinking it might be related to the fact that you only get 1
instance when you run the select and I get 141.

I tried just doing a "select * from signature;" just to satisfy my own
curisoty and got tired of watching the output at around record
10,000-ish and canceled out, there was lot's of output for the records
that aren't getting inserted.

--Bryan

On Wed, 2003-08-06 at 10:09, Everist, Benjamin S. (NASWI) wrote:

be my guest.  Another question - you wrote in another post:
"the 2.0.0 box starts quietly and I don't see any output when I run
the script, the 2.0.1 box scrolls the regular startup output when
started."

Snort scrolling the startup output to stdout sounds like it -isn't-
starting in Daemon mode.  What's up with that?

-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com]
Sent: Wednesday, August 06, 2003 9:58 AM
To: Everist, Benjamin S. (NASWI)
Subject: RE: [Snort-users] snort warnings


i uhm...get 141 rows....

odd...might if I repost your message to the list?


--Bryan

On Wed, 2003-08-06 at 09:47, Everist, Benjamin S. (NASWI) wrote:

Just out of curiosity, if you log into postgres and issue the
following query:

select * from signature where sig_name = 'WEB-CGI adcycle access'

and

sig_rev = 3 and sig_sid = 1721;

what do you get?  In mysql, I get:

+--------+------------------------+--------------+--------------+---------+-
--------+

| sig_id | sig_name               | sig_class_id | sig_priority |
sig_rev | sig_sid |

+--------+------------------------+--------------+--------------+---------+-
--------+

|     39 | WEB-CGI adcycle access |            5 |            2
|       3 |    1721 |

+--------+------------------------+--------------+--------------+---------+-
--------+

1 row in set (0.00 sec)

It looks as if snort is expecting one record and getting >1.  Snort

is

then writing the error to stdout.


-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com]
Sent: Tuesday, August 05, 2003 3:06 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort warnings


I get tons of these errors

Aug  5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM
signature WHERE sig_name = 'WEB-CGI adcycle access' AND  sig_rev = 3
AND
sig_sid = 1721 ) returned more than one result 
Aug  5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM
signature WHERE sig_name = 'WEB-CGI adcycle access' AND  sig_rev = 3
AND
sig_sid = 1721 ) returned more than one result 
Aug  5 14:48:10 knox3 snort: database: Problem inserting a new
signature
'WEB-CGI adcycle access' 
Aug  5 14:48:10 knox3 snort: database: Problem inserting a new
signature
'WEB-CGI adcycle access'

the odd thing is, this is set to run in daemon mode and log to
postgres
so i'm not sure why i'm even getting the errors to stdout.

This is the script I'm using to start snort.

snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c
/usr/local/share/snort/fxp0.conf not host '(192.233.100.178)'

snort -o -b -l /var/www/htdocs/snort/fxp1 -d -D -i fxp1 -c
/usr/local/share/snort/fxp1.conf not host '(192.233.100.178)'

any ideas?

--Bryan

Current thread:

snort warnings Bryan Irvine (Aug 05)
- <Possible follow-ups>
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
  - RE: snort warnings Bryan Irvine (Aug 06)
    - RE: snort warnings Erek Adams (Aug 06)
    - RE: snort warnings Bryan Irvine (Aug 06)
    - RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
  - RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
  - RE: snort warnings Bryan Irvine (Aug 06)
  - RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Michael J. McCasland (Aug 07)