Snort mailing list archives
Re: Rules not triggering
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 16 Sep 2009 10:02:40 -0600
How about your $EXTERNAL_NET, what is it set to? -----Original Message----- From: Gregory.Brunn () compucom com [mailto:Gregory.Brunn () compucom com] Sent: Wednesday, September 16, 2009 8:48 AM To: molney () sourcefire com Cc: snort-users () lists sourceforge net; Loren.OBrien () compucom com Subject: Re: [Snort-users] Rules not triggering The SID I am working on is alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; metadata:service http; classtype:attempted-recon; sid:1122; rev:7;) -----Original Message----- From: Matt Olney [mailto:molney () sourcefire com] Sent: Wednesday, September 16, 2009 10:58 AM To: Brunn, Gregory (gbrunn) Cc: OBrien, Loren (lobrien) Subject: Re: [Snort-users] Rules not triggering It is a valid construct when you are running the latest version of Snort. You are two substantial revisions behind right now, I'd strongly recommend an upgrade. What SID are you working on? Matt Olney On Wed, Sep 16, 2009 at 9:39 AM, <Gregory.Brunn () compucom com> wrote:
Hey, In the snort.conf file it says please note [80,8080] does not work. Also it says that Portlist must be continuous. I tried to take this out of the equation by writing a rule with any port however the rule did not fire. Thank you for all your help and please let me know if there is anything else I can do to troubleshoot the issue. -Greg -----Original Message----- From: Matt Olney [mailto:molney () sourcefire com] Sent: Wednesday, September 16, 2009 9:57 AM To: Brunn, Gregory (gbrunn) Cc: OBrien, Loren (lobrien) Subject: Re: [Snort-users] Rules not triggering Don't do that. On Wed, Sep 16, 2009 at 8:52 AM, <Gregory.Brunn () compucom com> wrote:Sorry the verison is 2.6 -----Original Message----- From: Matt Olney [mailto:molney () sourcefire com] Sent: Wednesday, September 16, 2009 9:17 AM To: Brunn, Gregory (gbrunn) Cc: OBrien, Loren (lobrien) Subject: Re: [Snort-users] Rules not triggering If I'm reading your email correctly, item #2 may be your issue. You have to define all of your HTTP_PORTS on a single line. Below are two separate configuration examples. The first defines two ports (80 and 80808) and the second defines a single port (80) and a port range (those ports from 8000 to 8080 inclusive). Make sure your HTTP_PORTS directive is correctly formatted. ## portvar HTTP_PORTS [80,8080] ## portvar HTTP_PORTS [80,8000:8080] Also, if you give me the SID number you're looking at, I might be able to check some additional things. Matt Olney On Wed, Sep 16, 2009 at 8:09 AM, <Gregory.Brunn () compucom com> wrote:Thanks for the information. 1) I have yet to verify this however the customer rule would have triggered if I removed the connection established statement correct. 2) The custom port is defined in HTTP_PORTS. The HOME_NET and EXTERNAL_NET are set to ANY ANY. Should this be changed? What is correct way to define custom http_ports in v. 2. 8 is one after eachother correct? Ex. HTTP_PORTS XXX HTTP_PORTS XXXX 3) I have verified that the traffic is being seen on the backend sensor and that the actually content is in the payload, however the rule does not triger. This is the only reason I am thinking that the reassembly maybe the source. Is there anyway to actually troubleshoot snorts stream reassembly. Thank you very much for all your help and I am a huge fan of snort. -----Original Message----- From: Matt Olney [mailto:molney () sourcefire com] Sent: Wednesday, September 16, 2009 8:08 AM To: Brunn, Gregory (gbrunn) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rules not triggering Two things: 1) Even though the load balancer may be handling "A" 3-way handshake on the front end, a 3-way handshake still has to occur to the server in the back. A web server, for example, still needs to see an established tcp connection on a listening port before it will reply. 2) "private ip custom port" gets my attention, as most Snort rules are port specific. If your load balancer is passing web traffic to port 2090 and you haven't modified your HTTP_PORTS variable then you'll miss the traffic. You might also want to ensure that your HOME_NET and EXTERNAL_NET variables are set correctly for the backend environment. 3) The stream reassembly issue is something to think about, but most likely this is not a concern. The load balancer installations I've seen pass a complete tcp session across to one server, so your back end sensor should still see what it needs to see. After all of that, I'd do a pcap on the snort sensor itself looking at the traffic. This should answer most of the questions you have. Matt Olney On Wed, Sep 16, 2009 at 6:13 AM, <Gregory.Brunn () compucom com> wrote:All, I am currently running into a problem with a sensor that is behind a load balancer not triggering on alerts that our sensor in front of load balancer is triggering on. I have been told by device owners that the load balancer does not alter the traffic in anyway however I can not trust this information because after doing a tcp dump the on both devices the amount of traffic that the same crafted attack is doubled on the inside sensor. Also I have checked using tcp dump output in hex that the content of what I am is coming through. Also this load balancer is trading the public ip to a private ip custom port. I have double checked our snort configuration I have found nothing that might flag why this is happening. I have double checked the rule and the specific rule and it has the statement flow:to_server,established; My thought was that because the load balancer appears to be handling the 3 way handshake and passing the traffic back to the private ips the rule would never trigger so I wrote a customer rule and removed this condition however the could not get the new rule to trigger. I wanted to see if anyone else was having this problem or is it possible that the fact the load balancer is doubling the traffic messing up the way snort reassembles packets. Any suggestions or help are greatly appreciated as I have spent a lot of time on the issue. ------------------------------------------------------------------- - - - -------- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12,2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------------------- - - -- ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules not triggering Gregory.Brunn (Sep 16)
- Re: Rules not triggering Matt Olney (Sep 16)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Rules not triggering Gregory.Brunn (Sep 16)
- Re: Rules not triggering Joel Esler (Sep 16)
- Re: Rules not triggering Gregory.Brunn (Sep 16)
- Message not available
- Re: Rules not triggering Matt Olney (Sep 16)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Rules not triggering Gregory.Brunn (Sep 16)
- Re: Rules not triggering Jefferson, Shawn (Sep 16)
- Re: Rules not triggering Gregory.Brunn (Sep 16)