Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: data from multiple sessions in one alert/packet

From: nikns <nikns () secure lv>
Date: Thu, 18 May 2006 00:52:47 +0300
I had identical issue. You are probably dropping packets.

Short answer is:
"There is a config parameter in Stream4 to help address that.
On the stream4_reassemble line, add "zero_flushed_packets".
This will cause Stream4 to zero out the memory of the
rebuilt packet before copying in the new data.  So, when
packets are missing from the middle of the rebuilt packet,
you'll get 0x00 in those bytes, rather than whatever was
there from the previous rebuild." <c> Steven


nikns


On Wed, May 17, 2006 at 05:26:21PM -0400, Jon Hart wrote:

Hello,

The weird behavior I'm seeing is what appears to be multiple HTTP
requests (sometimes the src<->dest is the same, others not) in the same
alert.  

Someone in #snort asked if I was behind a proxy server and, yes, the
bulk of our inbound traffic is handled by Akamai.  I can't find and
specific examples, but I swear I saw alerts where some of the traffic
came from Akamai and others did not.

Whats is even weirder is, today, I saw and alert that contained portions
of two distinct conversations, but one was headed inbound and the other
was headed outbound.  Aside from the general weirdness of this, I had
just recently switched my $HOME_NET to 'any'.

This is snort 2.4.4, running Red Hat Enterprise Linux ES release
4 (Nahant Update 1) with kernel 2.6.9-11.ELsmp (not my choice).  My
config is more or less stock:

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var SSH_PORTS 22
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH ./rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
  iis_unicode_map unicode.map 1252 
preprocessor http_inspect_server: server default \
  profile all ports { 80 8080 8180 } oversize_dir_length 500 \
  no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor xlink2state: ports { 25 691 }
output database: log, mysql, user=snort \
  password=ffffff dbname=snort host=localhost sensor_name=edge


And snort is started as follows:

snort -u snort -g snort -i bond0 -c /usr/local/stow/snort/etc/snort.conf
-D -eyo

(I have a pass rule to filter out a particularly false-positive prone
URL, hence the -o)

Any ideas?

-jon


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: