Rules not matching, or matching without logic

[Vanja Hrustic <vanja () pobox com>]

Spent lot of time fighting with this problem, but I give up. Either it's
something very simple, or something horribly wrong

Basically, there is a clean installation of CentOS 4.2, x86_64 edition.
Snort was compiled from source, with prelude support (which is not
being used yet, so is not enabled in config). The box Snort is running
on is HP Proliant DL360 G4, with 1GB of RAM, and Xeon 3.00GHz. HT
enabled, SMP kernel used.

eth1 interface is connected to Catalyst switch (45xx series). Port
monitoring works fine, and I can see all kinds of traffic on eth1. eth1
has no IP address assigned. Later on, I tried assigning an IP, but
nothing changed.

During peaktime, there is 20-30Mbit/sec traffic on the eth1. Right now,
there is around 3Mbit/sec, so traffic load is not an issue.

Problem is that I can not match the rules, as I want.

For example, I enable smtp.rules, and then I can end up connecting to
SMTP port on mail servers 100 times and issuing all kinds of EXPN
commands. Nothing gets picked up. Then, out of blue, it will pickup the
EXPN rule. And then nothing again.

Same is with telnet.rules. I try to login as root on a Solaris box, and
it nicely tells me "Not on system console". However, snort doesn't pick
it up.

I have used tcpdump in order to watch the traffic on eth1 and make sure
I really see these events. Indeed, it is all visible in tcpdump, and
traffic is definitelly there.

snort -dv shows the traffic as well, and I can see "Not on system
console" string coming back.

I've ended up with the following snort.conf file:

-- start paste --
config disable_decode_alerts

#preprocessor flow: stats_interval 0 hash 2
#preprocessor frag3_global: max_frags 65536
#preprocessor frag3_engine: policy linux detect_anomalies
#preprocessor stream4: disable_evasion_alerts
#preprocessor stream4_reassemble
#config stateful
#preprocessor http_inspect: global \
#    iis_unicode_map unicode.map 1252
#preprocessor http_inspect_server: server default \
#    profile all ports { 80 8080 8180 } oversize_dir_length 500
#preprocessor rpc_decode: 111 32771
#preprocessor bo
#preprocessor telnet_decode
#preprocessor sfportscan: proto  { all } \
#                         memcap { 10000000 } \
#                         sense_level { low } \
#                         ignore_scanners { 1.2.3.4 }

output alert_syslog: LOG_AUTHPRIV LOG_ALERT

include classification.config
include reference.config

include /opt/snort/rules/test.rules
-- end paste --

test.rules contains 3 lines (sorry about wrapping):

-- start paste --
alert tcp any any -> any any (msg:"TELNET not on console";
flow:from_server,established; content:"not on system console"; nocase;
reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;) alert

tcp any any -> any any (msg:"CRAP"; content:"console"; nocase;) alert

tcp any any -> any any (msg:"TELNET not on console 2";
flow:from_server,established; content:"not on system console"; nocase;
classtype:bad-unknown;)
-- end paste --

And no matter how many times I try to login as root to Solaris box, and
get "not on system console" message - it doesn't get picked up.

At the same time, some web traffic gets picked up, which contains
string "WebConsole.html", and triggers the 2nd rule. Then I connect to
port 25 on a server, and issue "expn console" - but it doesn't get
picked up. Nor logging as user 'console' on a telnet port gets picked
up.

I've tried enabling/disabling preprocessors and using various options,
but to no avail. Snort won't pick it up, and I can see the traffic and
string in tcpdump (and with "snort -dv") without problems.

Proprocessors seem to work ok, though. http_inspect proprocessor picks
up directory traversal attempts. sfportscan picks up various types of
portscans. But rules are the problem.

If I enable snmp.rules, for example, log suddenly starts filling with
all kinds of SNMP alerts (public, etc.). Snort picks them up nicely.

So, what could possibly be wrong here?

Is anyone using Snort on x86_64 platform? Do they have everything
working ok?

Any help is much appreciated.

Thanks. 


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users