Snort mailing list archives
Snort not logging all alerts in pcap (was Oddness with 16295)
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 11 Nov 2010 10:54:15 -0700
OK so now I'm sure there's an issue. Below are more examples...everything is fine until alert timestamps 11/11-10:38:38.577756 and 11/11-10:38:38.818757...they are simply not there in the corresponding pcap file. My settings are as follows: output alert_fast: internetalert.fast output log_tcpdump: internettcpdump.pcap Any reason some packets aren't getting logged in the pcap file? Any pointers would be excellent. James [10:45:48 jlay@goids:~/log$] sudo tail -n 20 internetalert.fast 11/11-10:26:15.284212 [**] [1:2008418:4] ET POLICY Metasploit Framework Update [**] [Classification: Misc activity] [Priority: 3] {TCP} 216.75.1.230:443 -> 10.21.0.9:53302 11/11-10:27:41.141234 [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP} 68.142.93.133:80 -> 10.21.0.16:62912 11/11-10:27:58.026044 [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: Misc Attack] [Priority: 2] {TCP} 10.21.0.16:62962 -> 85.17.84.214:80 11/11-10:30:04.970609 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 199.7.50.72:80 11/11-10:30:36.362238 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388 11/11-10:30:44.274148 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427 11/11-10:32:33.810911 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450 11/11-10:34:04.413890 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 173.204.52.197:80 11/11-10:35:42.820754 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404 11/11-10:35:49.670676 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432 11/11-10:38:00.626191 [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: Misc Attack] [Priority: 2] {TCP} 10.21.0.16:64881 -> 85.17.84.212:80 11/11-10:38:38.577756 [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 96.6.2.125:80 -> 10.21.0.16:64991 11/11-10:38:38.818757 [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 72.246.94.34:80 -> 10.21.0.16:64835 11/11-10:38:46.511664 [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.21.0.16:65098 -> 66.220.146.32:80 11/11-10:40:49.997265 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181 11/11-10:40:57.546175 [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc activity] [Priority: 3] {TCP} 207.171.185.196:80 -> 10.21.0.16:1281 11/11-10:41:42.069675 [**] [1:648:10] SHELLCODE x86 NOOP [**] [Classification: Executable Code was Detected] [Priority: 1] {TCP} 207.171.185.196:80 -> 10.21.0.16:1493 11/11-10:43:16.912596 [**] [1:5713:3] WEB-CLIENT Windows Metafile invalid header size integer overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 65.55.69.143:80 -> 10.21.0.16:1491 11/11-10:45:35.275018 [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] [Classification: Misc activity] [Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634
From pcap file:
10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack 1538376874, win 46, options [nop,nop,TS val 285059531 ecr 843329], length 1388 10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack 3472428307, win 65535, length 1400 10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq 3387361148, win 65535, options [mss 1460,nop,nop,sackOK], length 0 10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack 1095737173, win 65535, length 20 10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack 2060485191, win 7504, length 1400 10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack 1404174044, win 7066, length 1400 10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.], ack 2592865250, win 1023, length 1380 10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.], ack 87661050, win 65535, length 12 10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack 706084536, win 7504, length 1400 10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack 3592031382, win 7066, length 1400 10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq 2705613011, win 65535, options [mss 1460,nop,nop,sackOK], length 0 10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack 2665905014, win 13936, length 1400 10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack 237172578, win 65535, length 1380 10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack 1349174870, win 49664, length 1380 10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack 1907873745, win 13425, length 1400 10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack 1374951746, win 7504, length 1400 From: Lay, James [mailto:james.lay () wincofoods com] Sent: Thursday, November 11, 2010 10:43 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Oddness with 16295 Bump...no takers on this? From: Lay, James [mailto:james.lay () wincofoods com] Sent: Wednesday, November 10, 2010 10:52 AM To: snort-users () lists sourceforge net Subject: Oddness with 16295 So this is weird....looking at this hit: 11/10-10:38:18.976338 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385 Fairly certain it's an fp, but...when I hit the pcap dump file, it doesn't show....here's consecutive hits in the alert file: 11/10-10:37:25.096951 [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185 11/10-10:37:25.131950 [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185 11/10-10:38:18.976338 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385 11/10-10:39:35.643464 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80 And from the pcapfile: sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1081895485, win 4789, length 1400 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1, win 4789, length 1400 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack 2261207081, win 65535, length 536 So where did 16295 go? A quick check for that IP gives nothing: [10:48:24 jlay@goids:~/log$] sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 ip and host 204.11.109.23 reading from file internettcpdump.pcap.1289401395, link-type EN10MB (Ethernet) [10:50:21 jlay@goids:~/log$] James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704
------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not logging all alerts in pcap (was Oddness with 16295) Lay, James (Nov 11)
- Re: Snort not logging all alerts in pcap (was Oddness with 16295) rmkml (Nov 13)
- Re: Snort not logging all alerts in pcap (was Oddness with 16295) James Lay (Nov 15)
- Re: Snort not logging all alerts in pcap (was Oddness with 16295) rmkml (Nov 13)