Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.8.6 and gzip decoding functionality not working for me

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 6 May 2010 08:37:57 -0400
Matt and Matt,

"Seems strange that port 80 would be in client only by default"

I noticed that in the snort-2.8.6 config a lot of ports were listed in
client only. Is there any guidance you can provide for determining
what ports should be both/client/server? For example 22 is in client.
Does this affect the ability to disregard encrypted traffic with the
ssh preprocessor? I believe that's the case with ssl. How about the
netbios ports listed as client and dcerpc2? I would think that for
preprocessors dedicated to a type of traffic http/ssl/dcerpc2/ftp/dns
that those ports would need to be in "both" to ensure the preprocessor
works correctly. Is this true?

Wally


On Wed, May 5, 2010 at 5:45 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com> wrote:

Hello.  Thanks Matt, that did the trick.  I suppose I need to read up
on the streams preprocessor now.  Seems strange that port 80 would be
in client only by default, especially now that gzip decompress is
possible with snort.

Thanks again.

Cheers.

-L0rd Ch0de1m0r

On Tue, May 4, 2010 at 4:01 PM, Matt Watchinski
<mwatchinski () sourcefire com> wrote:

Looks like you only have 80 on ports client, remove it from there and
add it to both.

Something like.

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
yes, track_icmp no
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
  overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
   ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
       161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667
6668 6669 \
       7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
   ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128
6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \
       7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918
7919 7920 8000 8008 8028 8080 8180 8888 9999
preprocessor stream5_udp: timeout 180

Cheers,
-matt

On Tue, May 4, 2010 at 4:31 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com> wrote:

Matts, thanks for the responses.  Using the config options that
Watchinski provided yielded the same results as initially described.
Bhagya, I think I have streams enabled; please correct me if I am
wrong:

# cat /etc/snort/snort.conf | grep -i -A 10 stream
# Target-Based stateful inspection/stream reassembly.  For more
inforation, see README.stream5
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp
yes, track_icmp no
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
  overlap_limit 10, check_session_hijacking, small_segments 3 bytes
150, timeout 180, \
  ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136
137 139 143 110 \
     111 161 445 513 514 691 1220 1433 1521 2100 2301 3128 3306 6665
6666 6667 6668 6669 \
     7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779, \
  ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901
7902 7903 7904 7905 \
     7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920
preprocessor stream5_udp: timeout 180

# performance statistics.  For more information, see the Snort Manual,
Configuring Snort - Preprocessors - Performance Monitor
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
# preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
compress_depth 20480 decompress_depth 20480
preprocessor http_inspect_server: server default \
  apache_whitespace no \
  ascii no \

As for pcaps, yes they can be provided but I have looked in to them
myself and have confirmed the behaviour described.  I am concerned
about anonamyzing them since the google javascript data may contain
PII in the URI and/or cookies.  Do you know of a good site that uses
gzip without PII that I can use to test and give you pcaps?

Thanks again.

Cheers,

-L0rd Ch0de1m0rt

On Tue, May 4, 2010 at 3:18 PM, Bhagya Bantwal <bbantwal () sourcefire com> wrote:

Turning on stream reassembly might be useful too.

Do you have a pcap we could look into?


-B

On Tue, May 4, 2010 at 3:40 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
wrote:


Hello.  I am experimenting with snort v2.8.6 and hope to benefit from
its gzip decoding capabilities.  However, I have been unsuccessful so
far in getting it to work.  I am fetching a javascript file from
google and clearly it is encoding it using gzip.  This rule alerts me:

alert tcp any any -> any any (msg:"gzip encoding detected from
server"; flow:established,from_server; content:"|0d
0a|Content-Encoding: gzip|0d 0a|"; nocase; classtype:attempted-user;
sid:3141591; rev:1;)

BUT this rule does not alert when it is clearly in the gzip decoded data:

alert tcp any any -> any any (msg:"detected on gzip decoded data from
Google"; flow:established,from_server; content:"google.isOpera=false";
nocase; classtype:attempted-user; sid:3141592; rev:1;)

I am using the defaults for the gzip portion of the http_inspect
preprocessor and the content trying to be matched
(google.isOpera=false) is in the first few hundred bytes of the data.
Here is my snort.conf http_inspect details:

preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
  apache_whitespace no \
  ascii no \
       bare_byte no \
       chunk_length 500000 \
  server_flow_depth 0 \
  client_flow_depth 0 \
  post_depth 65495 \
       directory no \
       double_decode no \
       iis_backslash no \
       iis_delimiter no \
       iis_unicode no \
       multi_slash no \
       non_strict \
       oversize_dir_length 500 \
       ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180
8888 9999 } \
       u_encode yes \
       non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
       webroot no \
       extended_response_inspection \
       inspect_gzip

I configured snort with --enable-zlib before I compiled and I get this
on snort startup:

Using ZLIB version: 1.2.3.3

What am I doing wrong here?  Thanks for any help.

Cheers,

-L0rd Ch0de1m0rt


------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/



------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: