Snort mailing list archives
Analyzing SNORT output and Alerts in Kiwi Syslog
From: Matt Lenco <mattlenco () yahoo com>
Date: Wed, 22 Dec 2010 07:33:33 -0800 (PST)
What can be deduced from the data below?
SNORT processed 1400 pcap files pulled from http packet captures on a DMZ.
There were 106 log files, where the following files had these recurring sessions
appearing when opened in Wireshark:
TLSv1 Encrypted Handshake Message, Change Cipher, Encrypted Handshake Message.
TCP TCP Segment of a reassembled PDU.
Kiwi syslog reported 40 Alerts
3 were Shellcode x86 Setuid 0 Classification: A system call was detected.
37 Oracle BEA Weblogic Server Plug-Ins Certificate overflow attempt:
Classification: Attempted User Priviledge Gain
SNORT Results
===============================================================================
Packet I/O Totals:
Received: 151285415
Analyzed: 151285415 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 151617033 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 151617033 (100.000%)
Frag: 7 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 151617026 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 189 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 189 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 6785 ( 0.004%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 129977 ( 0.086%)
S5 G 2: 201641 ( 0.133%)
Total: 151617033
===============================================================================
Action Stats:
Alerts: 346 ( 0.000%)
Logged: 346 ( 0.000%)
Passed: 0 ( 0.000%)
Match Limit: 0
Queue Limit: 0
Log Limit: 0
Event Limit: 0
Verdicts:
Allow: 151285415 (100.000%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 7
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 7
FragTrackers Dumped: 7
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 7
Frag Nodes Deleted: 7
===============================================================================
Stream5 statistics:
Total sessions: 1859825
TCP sessions: 1859825
UDP sessions: 0
ICMP sessions: 0
TCP Prunes: 1840548
UDP Prunes: 0
ICMP Prunes: 0
TCP StreamTrackers Created: 1890730
TCP StreamTrackers Deleted: 1890730
TCP Timeouts: 50167
TCP Overlaps: 24964
TCP Segments Queued: 7580674
TCP Segments Released: 7580674
TCP Rebuilt Packets: 4038193
TCP Segments Used: 5161142
TCP Discards: 2413732
TCP Gaps: 388467
UDP Sessions Created: 0
UDP Sessions Deleted: 0
UDP Timeouts: 0
UDP Discards: 0
Events: 113115
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 151278434
UDP Port Filter
Dropped: 0
Inspected: 0
Tracked: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 21
GET methods: 38434
HTTP Request Headers extracted: 38442
HTTP Request cookies extracted: 18849
Post parameters extracted: 6
HTTP Response Headers extracted: 0
HTTP Response cookies extracted: 0
Unicode: 425
Double unicode: 0
Non-ASCII representable: 4527
Base 36: 0
Directory traversals: 0
Extra slashes ("//"): 34
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 0
Gzip Compressed Data Processed: n/a
Gzip Decompressed Data Processed: n/a
Total packets processed: 47067632
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 0
===============================================================================
SSL Preprocessor:
SSL packets decoded: 15148326
Client Hello: 2764532
Server Hello: 2410200
Certificate: 599655
Server Done: 4641908
Client Key Exchange: 411885
Server Key Exchange: 1467
Change Cipher: 4518835
Finished: 0
Client Application: 1990154
Server Application: 1235042
Alert: 32749
Unrecognized records: 6209117
Completed handshakes: 0
Bad handshakes: 16439
Sessions ignored: 1232299
Detection disabled: 27270
===============================================================================
Snort exiting
Thanks!
Matt
------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Analyzing SNORT output and Alerts in Kiwi Syslog Matt Lenco (Dec 22)