Snort not logging all alerts in pcap (was Oddness with 16295)

["Lay, James" <james.lay () wincofoods com>]

OK so now I'm sure there's an issue.  Below are more
examples...everything is fine until alert timestamps
11/11-10:38:38.577756 and 11/11-10:38:38.818757...they are simply not
there in the corresponding pcap file.  My settings are as follows:

 

output alert_fast: internetalert.fast

output log_tcpdump: internettcpdump.pcap

 

Any reason some packets aren't getting logged in the pcap file?  Any
pointers would be excellent.

 

James  

 

[10:45:48 jlay@goids:~/log$] sudo tail -n 20 internetalert.fast

11/11-10:26:15.284212  [**] [1:2008418:4] ET POLICY Metasploit Framework
Update [**] [Classification: Misc activity] [Priority: 3] {TCP}
216.75.1.230:443 -> 10.21.0.9:53302

11/11-10:27:41.141234  [**] [1:15306:4] WEB-CLIENT Portable Executable
binary file transfer [**] [Classification: Misc activity] [Priority: 3]
{TCP} 68.142.93.133:80 -> 10.21.0.16:62912

11/11-10:27:58.026044  [**] [1:2406512:194] ET RBN Known Russian
Business Network IP TCP (257) [**] [Classification: Misc Attack]
[Priority: 2] {TCP} 10.21.0.16:62962 -> 85.17.84.214:80

11/11-10:30:04.970609  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 199.7.50.72:80

11/11-10:30:36.362238  [**] [1:15362:1] WEB-CLIENT obfuscated javascript
excessive fromCharCode - potential attack [**] [Classification: Misc
activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388

11/11-10:30:44.274148  [**] [1:15362:1] WEB-CLIENT obfuscated javascript
excessive fromCharCode - potential attack [**] [Classification: Misc
activity] [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427

11/11-10:32:33.810911  [**] [1:15362:1] WEB-CLIENT obfuscated javascript
excessive fromCharCode - potential attack [**] [Classification: Misc
activity] [Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450

11/11-10:34:04.413890  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 173.204.52.197:80

11/11-10:35:42.820754  [**] [1:15362:1] WEB-CLIENT obfuscated javascript
excessive fromCharCode - potential attack [**] [Classification: Misc
activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404

11/11-10:35:49.670676  [**] [1:15362:1] WEB-CLIENT obfuscated javascript
excessive fromCharCode - potential attack [**] [Classification: Misc
activity] [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432

11/11-10:38:00.626191  [**] [1:2406512:194] ET RBN Known Russian
Business Network IP TCP (257) [**] [Classification: Misc Attack]
[Priority: 2] {TCP} 10.21.0.16:64881 -> 85.17.84.212:80

11/11-10:38:38.577756  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
96.6.2.125:80 -> 10.21.0.16:64991

11/11-10:38:38.818757  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2] {TCP}
72.246.94.34:80 -> 10.21.0.16:64835

11/11-10:38:46.511664  [**] [1:2010786:4] ET POLICY Facebook Chat
(settings) [**] [Classification: Potential Corporate Privacy Violation]
[Priority: 1] {TCP} 10.21.0.16:65098 -> 66.220.146.32:80

11/11-10:40:49.997265  [**] [1:15362:1] WEB-CLIENT obfuscated javascript
excessive fromCharCode - potential attack [**] [Classification: Misc
activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181

11/11-10:40:57.546175  [**] [1:15306:4] WEB-CLIENT Portable Executable
binary file transfer [**] [Classification: Misc activity] [Priority: 3]
{TCP} 207.171.185.196:80 -> 10.21.0.16:1281

11/11-10:41:42.069675  [**] [1:648:10] SHELLCODE x86 NOOP [**]
[Classification: Executable Code was Detected] [Priority: 1] {TCP}
207.171.185.196:80 -> 10.21.0.16:1493

11/11-10:43:16.912596  [**] [1:5713:3] WEB-CLIENT Windows Metafile
invalid header size integer overflow [**] [Classification: Attempted
Administrator Privilege Gain] [Priority: 1] {TCP} 65.55.69.143:80 ->
10.21.0.16:1491

11/11-10:45:35.275018  [**] [1:15362:1] WEB-CLIENT obfuscated javascript
excessive fromCharCode - potential attack [**] [Classification: Misc
activity] [Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634

 

> From pcap file:

10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack
1538376874, win 46, options [nop,nop,TS val 285059531 ecr 843329],
length 1388

10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack
3472428307, win 65535, length 1400

10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq
3387361148, win 65535, options [mss 1460,nop,nop,sackOK], length 0

10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack
1095737173, win 65535, length 20

10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack
2060485191, win 7504, length 1400

10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack
1404174044, win 7066, length 1400

10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.], ack
2592865250, win 1023, length 1380

10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.], ack
87661050, win 65535, length 12

10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack
706084536, win 7504, length 1400

10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack
3592031382, win 7066, length 1400

10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq
2705613011, win 65535, options [mss 1460,nop,nop,sackOK], length 0

10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack
2665905014, win 13936, length 1400

10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack
237172578, win 65535, length 1380

10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack
1349174870, win 49664, length 1380

10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack
1907873745, win 13425, length 1400

10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack
1374951746, win 7504, length 1400

 

 

From: Lay, James [mailto:james.lay () wincofoods com] 
Sent: Thursday, November 11, 2010 10:43 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Oddness with 16295

 

Bump...no takers on this?

 

From: Lay, James [mailto:james.lay () wincofoods com] 
Sent: Wednesday, November 10, 2010 10:52 AM
To: snort-users () lists sourceforge net
Subject: Oddness with 16295

 

So this is weird....looking at this hit:

 

11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
library heap buffer overflow - without optional fields [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
204.11.109.23:80 -> 10.21.0.16:64385

 

Fairly certain it's an fp, but...when I hit the pcap dump file, it
doesn't show....here's consecutive hits in the alert file:

 

11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file
memory corruption [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185

11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file
memory corruption [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185

11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
library heap buffer overflow - without optional fields [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
204.11.109.23:80 -> 10.21.0.16:64385

11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80

 

And from the pcapfile:

sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395

10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
1081895485, win 4789, length 1400

10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
1, win 4789, length 1400

10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack
2261207081, win 65535, length 536

 

So where did 16295 go?  A quick check for that IP gives nothing:

[10:48:24 jlay@goids:~/log$] sudo tcpdump -n -s 1524 -r
internettcpdump.pcap.1289401395 ip and host 204.11.109.23

reading from file internettcpdump.pcap.1289401395, link-type EN10MB
(Ethernet)

[10:50:21 jlay@goids:~/log$]

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users