Snort mailing list archives
Re: snort-2.8.2.1 and udp alerts
From: Leon Ward <seclists () rm-rf co uk>
Date: Tue, 24 Jun 2008 16:40:52 +0100
Hi Stream 5 tracking UDP, and alerts being generated by UDP are two different things. Stream 5 is a TCP/UDP connection state tracker, if you look in your rule files you will see many rules associated with the UDP protocol enabled. If you are only getting UDP events being raised by Snort, this means one of two things. 1) People are doing bad/interesting stuff only with UDP and not with TCP 2) The device you are sniffing with is not being presented with a complete traffic profile. 2 is the most likely. Take a look at the destination of the UDP events, are they broadcast traffic? Have you seen anything unicast? (excluding maybe to the interface you're sniffing on). Take a look at the output when snort quits (or send it a SIGUSR1 signal). It will show a breakdown of stats, for example: -snip- Jun 24 06:36:40 rancid snort[15311]: ETH: 32058 (100.000%) -snip- Jun 24 06:36:40 rancid snort[15311]: IP4: 30552 (95.302%) -snip- Jun 24 06:36:40 rancid snort[15311]: TCP: 27039 (84.344%) Jun 24 06:36:40 rancid snort[15311]: UDP: 3233 (10.085%) Jun 24 06:36:40 rancid snort[15311]: ICMP: 66 (0.206%) -snip- Jun 24 06:36:40 rancid snort[15311]: ARP: 1506 (4.698%) -snip- Jun 24 06:36:40 rancid snort[15311]: Total: 32058 If Snort isn't seeing TCP traffic, it will be obvious here. -Leon On 24 Jun 2008, at 14:45, Alex wrote:
hello snort experts, I am using snort-2.8.2.1 compiled with mysql support. Currently, snort it logs and produce UDP alerts even it seems that UDP support is disabled in config file. Starting snort, i can see in terminal: [root@ltm ~]# snort -c /etc/snort/snort.conf ... Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 8192 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: INACTIVE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Track ICMP sessions: INACTIVE ... Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 ... In snort.conf i can see only 2 lines related to UDP: preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no so here, no doubt that UDP is DISABLED and preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } If UDP support is disabled in snort.conf, which line match and produce the following UDP alerts? I'm not convinced that preprocessor sfportscan will generate it. Can anybody give me a hint? MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052 255.255.255.255:1434 UDP or MISC UPnP malformed advertisement 2008-06-23 16:21:10 169.254.209.225:1900 239.255.255.250:1900 UDP below, comes my entire snort.conf file: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0 / 23,64.12.28.0 / 23,64.12.161.0 / 24,64.12.163.0 / 24,64.12.200.0 / 24,205.188.3.0 / 24,205.188.5.0 / 24,205.188.7.0 /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH ../preproc_rules dynamicpreprocessor directory /usr/lib/ snort-2.8.2.1_dynamicpreprocessor/ dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted output database: log, mysql, user=snort password=password dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules Regards, Alx ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-2.8.2.1 and udp alerts Alex (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 26)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)