Snort mailing list archives
Re: Snort 2.8.6 and gzip decoding functionality not working for me
From: Matt Olney <molney () sourcefire com>
Date: Thu, 6 May 2010 08:57:14 -0400
Guys, In the latest subscriber rulepack, we have a new recommended configuration. I'm going to go ahead and attach it here, as the intent isn't to restrict access to it, its just a by-product of our rules publishing process. But as part of that new conf is this stream5 block: # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667 6668 6669 \ 7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128 6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \ 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 8000 8008 8028 8080 8180 8888 9999 preprocessor stream5_udp: timeout 180 Let me know if you have any questions on it, Matt On Thu, May 6, 2010 at 8:37 AM, Jason Wallace <jason.r.wallace () gmail com> wrote:
Matt and Matt, "Seems strange that port 80 would be in client only by default" I noticed that in the snort-2.8.6 config a lot of ports were listed in client only. Is there any guidance you can provide for determining what ports should be both/client/server? For example 22 is in client. Does this affect the ability to disregard encrypted traffic with the ssh preprocessor? I believe that's the case with ssl. How about the netbios ports listed as client and dcerpc2? I would think that for preprocessors dedicated to a type of traffic http/ssl/dcerpc2/ftp/dns that those ports would need to be in "both" to ensure the preprocessor works correctly. Is this true? Wally On Wed, May 5, 2010 at 5:45 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Hello. Thanks Matt, that did the trick. I suppose I need to read up on the streams preprocessor now. Seems strange that port 80 would be in client only by default, especially now that gzip decompress is possible with snort. Thanks again. Cheers. -L0rd Ch0de1m0r On Tue, May 4, 2010 at 4:01 PM, Matt Watchinski <mwatchinski () sourcefire com> wrote:Looks like you only have 80 on ports client, remove it from there and add it to both. Something like. preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 2100 3306 6665 6666 6667 6668 6669 \ 7000 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 80 443 465 563 636 989 992 993 994 995 1220 2301 3128 6907 7702 7777 7779 7801 7900 7901 7902 7903 7904 7905 \ 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 8000 8008 8028 8080 8180 8888 9999 preprocessor stream5_udp: timeout 180 Cheers, -matt On Tue, May 4, 2010 at 4:31 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Matts, thanks for the responses. Using the config options that Watchinski provided yielded the same results as initially described. Bhagya, I think I have streams enabled; please correct me if I am wrong: # cat /etc/snort/snort.conf | grep -i -A 10 stream # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, check_session_hijacking, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 79 80 109 110 111 113 119 135 136 137 139 143 110 \ 111 161 445 513 514 691 1220 1433 1521 2100 2301 3128 3306 6665 6666 6667 6668 6669 \ 7000 8000 8080 8180 8888 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 443 465 563 636 989 992 993 994 995 7801 7702 7900 7901 7902 7903 7904 7905 \ 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 preprocessor stream5_udp: timeout 180 # performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # HTTP normalization and anomaly detection. For more information, see README.http_inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480 preprocessor http_inspect_server: server default \ apache_whitespace no \ ascii no \ As for pcaps, yes they can be provided but I have looked in to them myself and have confirmed the behaviour described. I am concerned about anonamyzing them since the google javascript data may contain PII in the URI and/or cookies. Do you know of a good site that uses gzip without PII that I can use to test and give you pcaps? Thanks again. Cheers, -L0rd Ch0de1m0rt On Tue, May 4, 2010 at 3:18 PM, Bhagya Bantwal <bbantwal () sourcefire com> wrote:Turning on stream reassembly might be useful too. Do you have a pcap we could look into? -B On Tue, May 4, 2010 at 3:40 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:Hello. I am experimenting with snort v2.8.6 and hope to benefit from its gzip decoding capabilities. However, I have been unsuccessful so far in getting it to work. I am fetching a javascript file from google and clearly it is encoding it using gzip. This rule alerts me: alert tcp any any -> any any (msg:"gzip encoding detected from server"; flow:established,from_server; content:"|0d 0a|Content-Encoding: gzip|0d 0a|"; nocase; classtype:attempted-user; sid:3141591; rev:1;) BUT this rule does not alert when it is clearly in the gzip decoded data: alert tcp any any -> any any (msg:"detected on gzip decoded data from Google"; flow:established,from_server; content:"google.isOpera=false"; nocase; classtype:attempted-user; sid:3141592; rev:1;) I am using the defaults for the gzip portion of the http_inspect preprocessor and the content trying to be matched (google.isOpera=false) is in the first few hundred bytes of the data. Here is my snort.conf http_inspect details: preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ apache_whitespace no \ ascii no \ bare_byte no \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ non_strict \ oversize_dir_length 500 \ ports { 80 1220 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 } \ u_encode yes \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ webroot no \ extended_response_inspection \ inspect_gzip I configured snort with --enable-zlib before I compiled and I get this on snort startup: Using ZLIB version: 1.2.3.3 What am I doing wrong here? Thanks for any help. Cheers, -L0rd Ch0de1m0rt ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Attachment:
snort.conf
Description:
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Snort 2.8.6 and gzip decoding functionality not working for me L0rd Ch0de1m0rt (May 04)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me Matt Olney (May 04)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me Matt Watchinski (May 04)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me Bhagya Bantwal (May 04)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me L0rd Ch0de1m0rt (May 04)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me Matt Watchinski (May 04)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me L0rd Ch0de1m0rt (May 05)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me Jason Wallace (May 06)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me Matt Olney (May 06)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me Nerijus Krukauskas (May 14)
- Re: Snort 2.8.6 and gzip decoding functionality not working for me L0rd Ch0de1m0rt (May 04)