Snort mailing list archives
RE: Problems with snort-2.1.0]
From: "Daniel J. Roelker" <droelker () sourcefire com>
Date: 13 Jan 2004 15:29:09 -0500
Comments inline:
From: "Schmehl, Paul L" <pauls () utdallas edu> To: snort-users () lists sourceforge net Subject: [Snort-users] Problems with snort-2.1.0 Date: 12 Jan 2004 15:42:29 -0600 ... 2) I enabled the perfmon preprocessor for the first time - this resulted in filling up /var/log/messages *extremely* fast. (Newsyslog was turning over the messages log every *hour*.) Is this normal? (I've since turned perfmon off.) The amount of information in the messages file was in the neigborhood of 2500 lines *per* reporting instance. The line in the snort.conf file was: #preprocessor perfmonitor: console max file stats.snort flow events time 10 pktcnt 10000 The stats.snort file is 1.3MB.
The configuration line that you may want to use is: preprocessor perfmonitor: file stats.snort time 300 pktcnt 10000 This gives you the basic performance stats on a 5 minute interval. The reason you were seeing so many lines was that you had 'flow' enabled. If you read the documentation this says that "statistics are printed out about the type of traffic and protocol distributions that snort is seeing". That's what these 2500 lines of statistics were. These statistics help users fine tune snort for performance on their network by detailing the various network protocol flows and client and server side data.
3) The new http_inspect preprocessor (which replaced http_decode) was pumping out alerts at a phenomenal rate. In one hour I had over 30,000 alerts just from one portion of the preprocessor (detect_anomalous_servers). (I disabled it.) Over the weekend, the BARE BYTE UNICODE ENCODING alert was triggered over 2 million times! The top 6 alerts I'm seeing are all from this preprocessor and account for 98%! of all the alerts in the database. (I've since completely disabled http_inspect.) Is anyone else seeing these levels of alerting from this preprocessor? Here's the config that I was using (all commented out now): #preprocessor http_inspect: global \ # iis_unicode_map unicode.map 1252 #preprocessor http_inspect_server: server default \ # profile all \ # ports { 80 443 8080 } \ # flow_depth 300 \ # oversize_dir_length 300 I read and reread the README.http_inspect doc, and I *thought* that I understood how to use it, but I was not expecting the huge volume of alerts that I got. The first thing that I noticed is that the detect_anomalous_servers flag triggered on *anything* that was web traffic from non-webservers. I would have *thought* that it would only trigger if the *source port* was an http port *and* the source IP was within $HOME_NET. Did I misread the docs? Or is the preprocessor looking at any -> any? I was also surprised to see alerts from bare_bytes, non_rfc_defined_chars and many other flags that I had not specifically enabled (or at least I *thought* that I hadn't enabled them.) What am I missing?
Apparently a lot. ;) detect_anomalous_servers: In the documentation it says, "This global configuration option enables generic HTTP server traffic inspection on non-HTTP configured ports, and alerts if HTTP traffic is seen.". The docs say nothing about HOME_NET or any other variables in regard to http_inspect, so if you could point us to where you got that fact in the docs we'll be happy to fix it so it's less confusing. This means that http_inspect is indeed looking at all traffic. Since you're getting so many anomalous_server alerts you should just turn off detect_anomalous_servers until you are able to configure your default and unique HTTP servers appropriately. But it's not a big deal if you don't have this enabled. BARE_BYTE ENCODING alert: Uh, here's your problem. In your default server configuration you have 443 as an HTTP server port. 443 is definitely an HTTP port but there's something a little different about it, it's encrypted. So that makes it really hard for snort to correctly decode where the request URI is in the stream of data. The reason you're getting those alerts is because http_inspect probably thinks the request URI is after the first space in the encrypted stream and starts decoding. Some of the encrypted bytes probably look like unicode sequences and *poof* you have a BARE_BYTE ENCODING alert. So take any encrypted HTTP ports (i.e. 443) out of your http_inspect port configuration. I guess we'll add that fact to the documentation notes to make it completely clear. non_rfc_chars, other flags, etc: The non_rfc_char alerts have been an issue and we're taking that out of the default server policies, i.e. apache, iis, all. Which brings us to the issue that you didn't enable many of the flags that you are seeing alerts for. This is because you have enabled a profile, in this case 'all' to be specific. If you look at the documentation it tells you what flags are pre-set for this particular profile. So that's why you're seeing alerts for things that you didn't specifically set. Another tip that's in the documentation is to enable no_alerts in a server configuration. This turns off all http_inspect alerts for that configuration, but still normalizes the traffic so your HTTP rules will alert on the normalized URL. This would have worked great for the BARE_BYTE alerts, but at least now we've fixed the real problem for you. There were some http_inspect alerts (non_rfc_char was the common one) that didn't recognize no_alerts, but these will all be fixed in the 2.1.1 release that's coming up. Thanks for testing out some of the new features. Hopefully, they make a little more sense now. -- Daniel Roelker Software Developer Sourcefire, Inc. ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Problems with snort-2.1.0] Daniel J. Roelker (Jan 13)
- <Possible follow-ups>
- RE: Problems with snort-2.1.0] Schmehl, Paul L (Jan 13)