Snort mailing list archives
Re: perfmonitor pre-processor issues
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 30 Sep 2010 21:11:48 -0400
That was one of my suspicions as well. Let us know what you find out. Good luck. On Thursday, September 30, 2010, Daniel Shepherd <shepdelacreme () gmail com> wrote:
Joel, I can't provide pcaps unfortunately. The conf file was mostly the default 2.9.0 file. The only changes I had made were to define HOME_NET, EXTERNAL_NET, and some of the various DNS,SMTP, etc variables. As well as to enable the various rules files. I've investigated a bit further and I don't think the feed I've been given from the network team is sane. It appears to be oversubscribed...and I'm not sure the span is setup properly in that I'm seeing the same packet multiple times. I'm going to have to try and get a decent feed from the network team and go from there. What they say is true...garbage in...garbage out. Thanks, Dan On Sep 30, 2010, at 5:48 PM, Joel Esler wrote:Is there anyway you can provide a snort.conf and a pcap of your network traffic to me privately? Something doesn't sound right. J On Thursday, September 30, 2010, Daniel Shepherd <shepdelacreme () gmail com> wrote:I am currently running 2.9.0 and am having a lot of preprocessor issues. Alerts for http, stream5, and frag3 needed to be turned off completely because the number of alerts was crushing the machine. The largest offender by far was stream5 with alerts about excessive fragment and "timestamp outside PAWS window". The frag3 engine was giving similar fragmentation alerts. With alerting turned off for those three pp’s I’m down to the smtp and dcerpc2 pp’s sending excessive false positive alerts. smtp – attempted command buffer overflow: more than 512 chars smtp – attempted header name buffer overflow: ### chars before colon I call the two above false positive because when looking at the provided payload it appears that the preprocessor is alerting on data in the body of the smtp message. I thought that putting the ignore_data parameter in snort.conf for the smtp pp would stop this but it hasn’t. dcerpc2 – Connection-oriented DCE/RPC – Invalid major version: ### This is supposed to alert when a dcerpc connection is made and the major version is anything but 5 according to the documentation. When I download the payload in pcap format and view it with Wireshark the major version is always correctly identified as 5 though. I’m not sure where the problem lies, traffic, hardware, config, etc but has anyone dealt with this before? I’d rather not turn off the pp alerts completely but that is kind of where I’m at…is that what most people do with the preprocessors?
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- perfmonitor pre-processor issues Daniel Shepherd (Sep 30)
- Re: perfmonitor pre-processor issues Joel Esler (Sep 30)
- Re: perfmonitor pre-processor issues Daniel Shepherd (Sep 30)
- Re: perfmonitor pre-processor issues Joel Esler (Sep 30)
- Re: perfmonitor pre-processor issues Daniel Shepherd (Sep 30)
- Re: perfmonitor pre-processor issues Joel Esler (Sep 30)