RE: Problems with snort-2.1.0]

["Daniel J. Roelker" <droelker () sourcefire com>]

Comments inline:

> From: "Schmehl, Paul L" <pauls () utdallas edu>
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Problems with snort-2.1.0
> Date: 12 Jan 2004 15:42:29 -0600
>
> ...
>
> 2) I enabled the perfmon preprocessor for the first time - this resulted
> in filling up /var/log/messages *extremely* fast.  (Newsyslog was
> turning over the messages log every *hour*.)  Is this normal?  (I've
> since turned perfmon off.)  The amount of information in the messages
> file was in the neigborhood of 2500 lines *per* reporting instance.  The
> line in the snort.conf file was:
> #preprocessor perfmonitor: console max file stats.snort flow events time
> 10 pktcnt 10000
>
> The stats.snort file is 1.3MB.

The configuration line that you may want to use is:

preprocessor perfmonitor: file stats.snort time 300 pktcnt 10000

This gives you the basic performance stats on a 5 minute interval.  The
reason you were seeing so many lines was that you had 'flow' enabled. 
If you read the documentation this says that "statistics are printed out
about the type of traffic and protocol distributions that snort is
seeing".  That's what these 2500 lines of statistics were.  These
statistics help users fine tune snort for performance on their network
by detailing the various network protocol flows and client and server
side data.

> 3) The new http_inspect preprocessor (which replaced http_decode) was
> pumping out alerts at a phenomenal rate.  In one hour I had over 30,000
> alerts just from one portion of the preprocessor
> (detect_anomalous_servers).  (I disabled it.)  Over the weekend, the
> BARE BYTE UNICODE ENCODING alert was triggered over 2 million times!
> The top 6 alerts I'm seeing are all from this preprocessor and account
> for 98%! of all the alerts in the database.  (I've since completely
> disabled http_inspect.)  Is anyone else seeing these levels of alerting
> from this preprocessor?
>
> Here's the config that I was using (all commented out now):
>
> #preprocessor http_inspect: global \
> #    iis_unicode_map unicode.map 1252
>
> #preprocessor http_inspect_server: server default \
> #    profile all \
> #    ports { 80 443 8080 } \
> #    flow_depth 300 \
> #    oversize_dir_length 300
>
> I read and reread the README.http_inspect doc, and I *thought* that I
> understood how to use it, but I was not expecting the huge volume of
> alerts that I got.  The first thing that I noticed is that the
> detect_anomalous_servers flag triggered on *anything* that was web
> traffic from non-webservers.  I would have *thought* that it would only
> trigger if the *source port* was an http port *and* the source IP was
> within $HOME_NET.  Did I misread the docs?  Or is the preprocessor
> looking at any -> any?
>
> I was also surprised to see alerts from bare_bytes,
> non_rfc_defined_chars and many other flags that I had not specifically
> enabled (or at least I *thought* that I hadn't enabled them.)
>
> What am I missing?

Apparently a lot.  ;)

detect_anomalous_servers:
In the documentation it says, "This global configuration option enables
generic HTTP server traffic inspection on non-HTTP configured ports, and
alerts if HTTP traffic is seen.".  The docs say nothing about HOME_NET
or any other variables in regard to http_inspect, so if you could point
us to where you got that fact in the docs we'll be happy to fix it so
it's less confusing.  

This means that http_inspect is indeed looking at all traffic.  Since
you're getting so many anomalous_server alerts you should just turn off
detect_anomalous_servers until you are able to configure your default
and unique HTTP servers appropriately.  But it's not a big deal if you
don't have this enabled.

BARE_BYTE ENCODING alert:
Uh, here's your problem.  In your default server configuration you have
443 as an HTTP server port.  443 is definitely an HTTP port but there's
something a little different about it, it's encrypted.  So that makes it
really hard for snort to correctly decode where the request URI is in
the stream of data.  The reason you're getting those alerts is because
http_inspect probably thinks the request URI is after the first space in
the encrypted stream and starts decoding.  Some of the encrypted bytes
probably look like unicode sequences and *poof* you have a BARE_BYTE
ENCODING alert.

So take any encrypted HTTP ports (i.e. 443) out of your http_inspect
port configuration.  I guess we'll add that fact to the documentation
notes  to make it completely clear.

non_rfc_chars, other flags, etc:
The non_rfc_char alerts have been an issue and we're taking that out of
the default server policies, i.e. apache, iis, all.  Which brings us to
the issue that you didn't enable many of the flags that you are seeing
alerts for.  This is because you have enabled a profile, in this case
'all' to be specific.  If you look at the documentation it tells you
what flags are pre-set for this particular profile.  So that's why
you're seeing alerts for things that you didn't specifically set.

Another tip that's in the documentation is to enable no_alerts in a
server configuration.  This turns off all http_inspect alerts for that
configuration, but still normalizes the traffic so your HTTP rules will
alert on the normalized URL.  This would have worked great for the
BARE_BYTE alerts, but at least now we've fixed the real problem for you.

There were some http_inspect alerts (non_rfc_char was the common one)
that didn't recognize no_alerts, but these will all be fixed in the
2.1.1 release that's coming up.

Thanks for testing out some of the new features.  Hopefully, they make a
little more sense now.

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users