Re: perfmonitor pre-processor issues

[Joel Esler <jesler () sourcefire com>]

That was one of my suspicions as well. Let us know what you find out.
Good luck.

On Thursday, September 30, 2010, Daniel Shepherd
<shepdelacreme () gmail com> wrote:
> Joel,
>
> I can't provide pcaps unfortunately. The conf file was mostly the default 2.9.0 file. The only changes I had made 
> were to define HOME_NET, EXTERNAL_NET, and some of the various DNS,SMTP, etc variables. As well as to enable the 
> various rules files.
>
> I've investigated a bit further and I don't think the feed I've been given from the network team is sane. It appears 
> to be oversubscribed...and I'm not sure the span is setup properly in that I'm seeing the same packet multiple times. 
> I'm going to have to try and get a decent feed from the network team and go from there.
>
> What they say is true...garbage in...garbage out.
>
> Thanks,
> Dan
>
> On Sep 30, 2010, at 5:48 PM, Joel Esler wrote:
>
> > Is there anyway you can provide a snort.conf and a pcap of your
> > network traffic to me privately?
> >
> > Something doesn't sound right.
> >
> > J
> >
> > On Thursday, September 30, 2010, Daniel Shepherd
> > <shepdelacreme () gmail com> wrote:
> > > I am currently running 2.9.0 and am having a lot of preprocessor
> > > issues. Alerts for http, stream5, and frag3 needed to be turned off
> > > completely because the number of alerts was crushing the machine. The
> > > largest offender by far was stream5 with alerts about excessive fragment
> > > and "timestamp outside PAWS window". The
> > > frag3 engine was giving similar fragmentation alerts. With alerting
> > > turned off for those three pp’s I’m down to the smtp and dcerpc2 pp’s
> > > sending excessive false positive alerts.
> > > smtp – attempted command buffer overflow: more than 512 chars
> > > smtp – attempted header name buffer overflow: ### chars before colon
> > > I call the two above false positive because when looking at the
> > > provided payload it appears that the preprocessor is alerting on data in
> > > the body of the smtp message. I thought that putting the ignore_data
> > > parameter in snort.conf for the smtp pp would stop this but it hasn’t.
> > > dcerpc2 – Connection-oriented DCE/RPC – Invalid major version: ###
> > > This is supposed to alert when a dcerpc connection is made and the
> > > major version is anything but 5 according to the documentation. When I
> > > download the payload in pcap format and view it with Wireshark the major
> > > version is always correctly identified as 5 though.
> > > I’m not sure where the problem lies, traffic, hardware, config, etc
> > > but has anyone dealt with this before? I’d rather not turn off the pp
> > > alerts completely but that is kind of where I’m at…is that what most
> > > people do with the preprocessors?

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users