Snort mailing list archives
Rules not matching, or matching without logic
From: Vanja Hrustic <vanja () pobox com>
Date: Sat, 19 Nov 2005 12:30:20 +0600
Spent lot of time fighting with this problem, but I give up. Either it's something very simple, or something horribly wrong Basically, there is a clean installation of CentOS 4.2, x86_64 edition. Snort was compiled from source, with prelude support (which is not being used yet, so is not enabled in config). The box Snort is running on is HP Proliant DL360 G4, with 1GB of RAM, and Xeon 3.00GHz. HT enabled, SMP kernel used. eth1 interface is connected to Catalyst switch (45xx series). Port monitoring works fine, and I can see all kinds of traffic on eth1. eth1 has no IP address assigned. Later on, I tried assigning an IP, but nothing changed. During peaktime, there is 20-30Mbit/sec traffic on the eth1. Right now, there is around 3Mbit/sec, so traffic load is not an issue. Problem is that I can not match the rules, as I want. For example, I enable smtp.rules, and then I can end up connecting to SMTP port on mail servers 100 times and issuing all kinds of EXPN commands. Nothing gets picked up. Then, out of blue, it will pickup the EXPN rule. And then nothing again. Same is with telnet.rules. I try to login as root on a Solaris box, and it nicely tells me "Not on system console". However, snort doesn't pick it up. I have used tcpdump in order to watch the traffic on eth1 and make sure I really see these events. Indeed, it is all visible in tcpdump, and traffic is definitelly there. snort -dv shows the traffic as well, and I can see "Not on system console" string coming back. I've ended up with the following snort.conf file: -- start paste -- config disable_decode_alerts #preprocessor flow: stats_interval 0 hash 2 #preprocessor frag3_global: max_frags 65536 #preprocessor frag3_engine: policy linux detect_anomalies #preprocessor stream4: disable_evasion_alerts #preprocessor stream4_reassemble #config stateful #preprocessor http_inspect: global \ # iis_unicode_map unicode.map 1252 #preprocessor http_inspect_server: server default \ # profile all ports { 80 8080 8180 } oversize_dir_length 500 #preprocessor rpc_decode: 111 32771 #preprocessor bo #preprocessor telnet_decode #preprocessor sfportscan: proto { all } \ # memcap { 10000000 } \ # sense_level { low } \ # ignore_scanners { 1.2.3.4 } output alert_syslog: LOG_AUTHPRIV LOG_ALERT include classification.config include reference.config include /opt/snort/rules/test.rules -- end paste -- test.rules contains 3 lines (sorry about wrapping): -- start paste -- alert tcp any any -> any any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;) alert tcp any any -> any any (msg:"CRAP"; content:"console"; nocase;) alert tcp any any -> any any (msg:"TELNET not on console 2"; flow:from_server,established; content:"not on system console"; nocase; classtype:bad-unknown;) -- end paste -- And no matter how many times I try to login as root to Solaris box, and get "not on system console" message - it doesn't get picked up. At the same time, some web traffic gets picked up, which contains string "WebConsole.html", and triggers the 2nd rule. Then I connect to port 25 on a server, and issue "expn console" - but it doesn't get picked up. Nor logging as user 'console' on a telnet port gets picked up. I've tried enabling/disabling preprocessors and using various options, but to no avail. Snort won't pick it up, and I can see the traffic and string in tcpdump (and with "snort -dv") without problems. Proprocessors seem to work ok, though. http_inspect proprocessor picks up directory traversal attempts. sfportscan picks up various types of portscans. But rules are the problem. If I enable snmp.rules, for example, log suddenly starts filling with all kinds of SNMP alerts (public, etc.). Snort picks them up nicely. So, what could possibly be wrong here? Is anyone using Snort on x86_64 platform? Do they have everything working ok? Any help is much appreciated. Thanks. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules not matching, or matching without logic Vanja Hrustic (Nov 18)
- Re: Rules not matching, or matching without logic Jeff Kell (Nov 19)
- Re: Rules not matching, or matching without logic Vanja Hrustic (Nov 19)
- Re: Rules not matching, or matching without logic Jeff Kell (Nov 19)