Snort mailing list archives
Analyzing SNORT output and Alerts in Kiwi Syslog
From: Matt Lenco <mattlenco () yahoo com>
Date: Wed, 22 Dec 2010 07:33:33 -0800 (PST)
What can be deduced from the data below? SNORT processed 1400 pcap files pulled from http packet captures on a DMZ. There were 106 log files, where the following files had these recurring sessions appearing when opened in Wireshark: TLSv1 Encrypted Handshake Message, Change Cipher, Encrypted Handshake Message. TCP TCP Segment of a reassembled PDU. Kiwi syslog reported 40 Alerts 3 were Shellcode x86 Setuid 0 Classification: A system call was detected. 37 Oracle BEA Weblogic Server Plug-Ins Certificate overflow attempt: Classification: Attempted User Priviledge Gain SNORT Results =============================================================================== Packet I/O Totals: Received: 151285415 Analyzed: 151285415 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 151617033 (100.000%) VLAN: 0 ( 0.000%) IP4: 151617033 (100.000%) Frag: 7 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 151617026 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 189 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 189 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 6785 ( 0.004%) Bad TTL: 0 ( 0.000%) S5 G 1: 129977 ( 0.086%) S5 G 2: 201641 ( 0.133%) Total: 151617033 =============================================================================== Action Stats: Alerts: 346 ( 0.000%) Logged: 346 ( 0.000%) Passed: 0 ( 0.000%) Match Limit: 0 Queue Limit: 0 Log Limit: 0 Event Limit: 0 Verdicts: Allow: 151285415 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== Frag3 statistics: Total Fragments: 7 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 7 FragTrackers Dumped: 7 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 7 Frag Nodes Deleted: 7 =============================================================================== Stream5 statistics: Total sessions: 1859825 TCP sessions: 1859825 UDP sessions: 0 ICMP sessions: 0 TCP Prunes: 1840548 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 1890730 TCP StreamTrackers Deleted: 1890730 TCP Timeouts: 50167 TCP Overlaps: 24964 TCP Segments Queued: 7580674 TCP Segments Released: 7580674 TCP Rebuilt Packets: 4038193 TCP Segments Used: 5161142 TCP Discards: 2413732 TCP Gaps: 388467 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 113115 Internal Events: 0 TCP Port Filter Dropped: 0 Inspected: 0 Tracked: 151278434 UDP Port Filter Dropped: 0 Inspected: 0 Tracked: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 21 GET methods: 38434 HTTP Request Headers extracted: 38442 HTTP Request cookies extracted: 18849 Post parameters extracted: 6 HTTP Response Headers extracted: 0 HTTP Response cookies extracted: 0 Unicode: 425 Double unicode: 0 Non-ASCII representable: 4527 Base 36: 0 Directory traversals: 0 Extra slashes ("//"): 34 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 47067632 =============================================================================== dcerpc2 Preprocessor Statistics Total sessions: 0 =============================================================================== SSL Preprocessor: SSL packets decoded: 15148326 Client Hello: 2764532 Server Hello: 2410200 Certificate: 599655 Server Done: 4641908 Client Key Exchange: 411885 Server Key Exchange: 1467 Change Cipher: 4518835 Finished: 0 Client Application: 1990154 Server Application: 1235042 Alert: 32749 Unrecognized records: 6209117 Completed handshakes: 0 Bad handshakes: 16439 Sessions ignored: 1232299 Detection disabled: 27270 =============================================================================== Snort exiting Thanks! Matt
------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Analyzing SNORT output and Alerts in Kiwi Syslog Matt Lenco (Dec 22)