Snort mailing list archives

Re: 2.8.4 and ssh preprocessor

From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Fri, 10 Apr 2009 12:45:35 -0400

Known issue.  The SSH pre-processor is still experimental.

Cheers,
-matt

On Fri, Apr 10, 2009 at 1:13 AM, Nerijus Krukauskas
<nkrukauskas () gmail com> wrote:

Hi,

The new 2.8.4 snort. If I enable the experimental ssh preprocessor,
then snort never starts. The output is stuck right after the message
about ssh preprocessor config used. CPU goes at 100% utilisation. The
snort process then can only be killed with KILL signal. If the ssh
preprocessor is commented out, then snort start and runs as it should.

Anyone else with this kind of problem?



Cmd line used to start snort:
/usr/local/bin/snort -K none -o -e -c <config provided below> -X -d -y
-i ${IFACE} ${BPF}


=====Config used=====

var HOME_NET [<a couple of networks>]

var EXTERNAL_NET !$HOME_NET

var DNS_SERVERS [<a few DNS servers>]

var SMTP_SERVERS [<smtp servers>]

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS [<sql server>]

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

portvar HTTP_PORTS 80

portvar SHELLCODE_PORTS !80

portvar ORACLE_PORTS 1521

var AIM_SERVERS [64.12.0.0/16,205.188.0.0/16]

var RULE_PATH ../rules
var PREPROC_RULE_PATH ../preproc_rules

config stateful
config enable_decode_oversized_alerts
config event_queue: max_queue 4 log 2 order_events priority
config threshold: memcap 20971520

config detection: search-method ac-bnfa

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules/

preprocessor frag3_global: max_frags 16384, memcap 8192000, prealloc_frags 8192
include $RULE_PATH/../conf/frag3-targets-last.conf
include $RULE_PATH/../conf/frag3-targets-linux.conf
include $RULE_PATH/../conf/frag3-targets-bsd.conf
preprocessor frag3_engine: policy Windows detect_anomalies

preprocessor stream5_global: flush_on_alert, \
                               track_tcp yes, max_tcp 16384,\
                               track_udp yes, max_udp 8192,\
                               track_icmp yes, max_icmp 4096

preprocessor stream5_tcp: bind_to <network>, policy windows, min_ttl 3,\
                         ports client 21 23 25 42 53 80 110 111 135
136 137 139 143 \
                                      443 445 513 514 992 993 995
1433 1521 2401 3306

preprocessor stream5_tcp: policy linux, min_ttl 3,\
                         ports client 21 23 25 42 53 80 110 111 135
136 137 139 143 \
                                      443 445 513 514 992 993 995
1433 1521 2401 3306

preprocessor stream5_udp: timeout 20

preprocessor stream5_icmp: timeout 20

preprocessor http_inspect: global \
   iis_unicode_map $RULE_PATH/unicode.map 1252

preprocessor http_inspect_server: server default \
   ports { 80 8080 } \
   flow_depth 512 \
   base36 no \
   ascii no \
   bare_byte no \
   iis_unicode no \
   double_decode no \
   multi_slash no \
   iis_backslash no \
   directory no \
   apache_whitespace no \
   iis_delimiter no \
   u_encode no \
   utf_8 no \
   chunk_length 64000 \
   non_strict \
   oversize_dir_length 512 \
   no_alerts

preprocessor ftp_telnet: global \
  encrypted_traffic yes \
  inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
  normalize \
  ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: ftp server default \
  def_max_param_len 100 \
  alt_max_param_len 20 { USER } \
  alt_max_param_len 100 { EPSV } \
  alt_max_param_len 200 { CWD } \
  cmd_validity MODE < char ASBCZ > \
  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
  chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
  telnet_cmds yes \
  data_chan

preprocessor ftp_telnet_protocol: ftp client default \
  max_resp_len 256 \
  bounce yes \
  telnet_cmds yes

preprocessor smtp: \
 ports { 25 587 691 } \
 inspection_type stateful \
 ignore_data \
 ignore_tls_data \
 max_command_line_len 512 \
 max_response_line_len 512 \
 normalize cmds \
 normalize_cmds { EXPN VRFY RCPT } \
 alt_max_command_line_len 260 { MAIL } \
 alt_max_command_line_len 300 { RCPT } \
 alt_max_command_line_len 500 { HELP HELO ETRN } \
 alt_max_command_line_len 255 { EXPN VRFY }

preprocessor sfportscan: proto { all } \
                        scan_type { all } \
                        sense_level { low } \
                        memcap { 32768000 } \
                        watch_ip { <our network> } \
                        ignore_scanners { <a few hyper active hosts> } \
                        ignore_scanned { <a few servers hit by heavy traffic> }

preprocessor ssh: server_ports { 22 }
                 max_encrypted_packets 5 \
                 max_client_bytes 16384 \
                 autodetect \
                 disable_protomismatch \
                 disable_paysize


--
http://nk99.org/




-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

2.8.4 and ssh preprocessor Nerijus Krukauskas (Apr 09)
- Re: 2.8.4 and ssh preprocessor Matt Watchinski (Apr 10)