Snort mailing list archives
Re: snort-2.8.2.1 and udp alerts
From: Leon Ward <seclists () rm-rf co uk>
Date: Tue, 24 Jun 2008 16:40:52 +0100
Hi
Stream 5 tracking UDP, and alerts being generated by UDP are two
different things. Stream 5 is a TCP/UDP connection state tracker, if
you look in your rule files you will see many rules associated with
the UDP protocol enabled.
If you are only getting UDP events being raised by Snort, this means
one of two things.
1) People are doing bad/interesting stuff only with UDP and not with
TCP
2) The device you are sniffing with is not being presented with a
complete traffic profile.
2 is the most likely. Take a look at the destination of the UDP
events, are they broadcast traffic?
Have you seen anything unicast? (excluding maybe to the interface
you're sniffing on).
Take a look at the output when snort quits (or send it a SIGUSR1
signal). It will show a breakdown of stats, for example:
-snip-
Jun 24 06:36:40 rancid snort[15311]: ETH: 32058 (100.000%)
-snip-
Jun 24 06:36:40 rancid snort[15311]: IP4: 30552 (95.302%)
-snip-
Jun 24 06:36:40 rancid snort[15311]: TCP: 27039 (84.344%)
Jun 24 06:36:40 rancid snort[15311]: UDP: 3233 (10.085%)
Jun 24 06:36:40 rancid snort[15311]: ICMP: 66 (0.206%)
-snip-
Jun 24 06:36:40 rancid snort[15311]: ARP: 1506 (4.698%)
-snip-
Jun 24 06:36:40 rancid snort[15311]: Total: 32058
If Snort isn't seeing TCP traffic, it will be obvious here.
-Leon
On 24 Jun 2008, at 14:45, Alex wrote:
hello snort experts,
I am using snort-2.8.2.1 compiled with mysql support. Currently,
snort it logs
and produce UDP alerts even it seems that UDP support is disabled in
config
file.
Starting snort, i can see in terminal:
[root@ltm ~]# snort -c /etc/snort/snort.conf
...
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Track ICMP sessions: INACTIVE
...
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
...
In snort.conf i can see only 2 lines related to UDP:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
so here, no doubt that UDP is DISABLED
and
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
If UDP support is disabled in snort.conf, which line match and
produce the
following UDP alerts? I'm not convinced that preprocessor sfportscan
will
generate it. Can anybody give me a hint?
MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
255.255.255.255:1434 UDP
or
MISC UPnP malformed advertisement 2008-06-23 16:21:10
169.254.209.225:1900
239.255.255.250:1900 UDP
below, comes my entire snort.conf file:
var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0
/
23,64.12.28.0
/
23,64.12.161.0
/
24,64.12.163.0
/
24,64.12.200.0
/
24,205.188.3.0
/
24,205.188.5.0
/
24,205.188.7.0
/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
dynamicpreprocessor directory /usr/lib/
snort-2.8.2.1_dynamicpreprocessor/
dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
Regards,
Alx
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-2.8.2.1 and udp alerts Alex (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 26)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)