Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort not logging all alerts in pcap (was Oddness with 16295)

From: rmkml <rmkml () yahoo fr>
Date: Sat, 13 Nov 2010 13:25:45 +0100 (CET)
Hi James,
It's perfect, what's pb?
If I remember correctly, snort write only one packet on pcap file for one alert... (not stream reassembly)
What snort version you use?
Maybe snort "drop" packet? read your log for stat packets or send 'kill -USR1 snort_pid'...
Regards
Rmkml


On Thu, 11 Nov 2010, Lay, James wrote:



OK so now I’m sure there’s an issue.  Below are more examples…everything is fine until alert timestamps 
11/11-10:38:38.577756 and 11/11-10:38:38.818757…they are
simply not there in the corresponding pcap file.  My settings are as follows:

 

output alert_fast: internetalert.fast

output log_tcpdump: internettcpdump.pcap

 

Any reason some packets aren’t getting logged in the pcap file?  Any pointers would be excellent.

 

James 

 

[10:45:48 jlay@goids:~/log$] sudo tail -n 20 internetalert.fast

11/11-10:26:15.284212  [**] [1:2008418:4] ET POLICY Metasploit Framework Update [**] [Classification: Misc activity] 
[Priority: 3] {TCP} 216.75.1.230:443 ->
10.21.0.9:53302

11/11-10:27:41.141234  [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc 
activity] [Priority: 3] {TCP}
68.142.93.133:80 -> 10.21.0.16:62912

11/11-10:27:58.026044  [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: 
Misc Attack] [Priority: 2] {TCP}
10.21.0.16:62962 -> 85.17.84.214:80

11/11-10:30:04.970609  [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 
199.7.50.72:80

11/11-10:30:36.362238  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] 
[Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388

11/11-10:30:44.274148  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] 
[Classification: Misc activity]
[Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427

11/11-10:32:33.810911  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] 
[Classification: Misc activity]
[Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450

11/11-10:34:04.413890  [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 
173.204.52.197:80

11/11-10:35:42.820754  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] 
[Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404

11/11-10:35:49.670676  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] 
[Classification: Misc activity]
[Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432

11/11-10:38:00.626191  [**] [1:2406512:194] ET RBN Known Russian Business Network IP TCP (257) [**] [Classification: 
Misc Attack] [Priority: 2] {TCP}
10.21.0.16:64881 -> 85.17.84.212:80

11/11-10:38:38.577756  [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of 
Service attempt [**] [Classification:
Attempted Denial of Service] [Priority: 2] {TCP} 96.6.2.125:80 -> 10.21.0.16:64991

11/11-10:38:38.818757  [**] [1:17487:1] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of 
Service attempt [**] [Classification:
Attempted Denial of Service] [Priority: 2] {TCP} 72.246.94.34:80 -> 10.21.0.16:64835

11/11-10:38:46.511664  [**] [1:2010786:4] ET POLICY Facebook Chat (settings) [**] [Classification: Potential Corporate 
Privacy Violation] [Priority: 1] {TCP}
10.21.0.16:65098 -> 66.220.146.32:80

11/11-10:40:49.997265  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] 
[Classification: Misc activity]
[Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181

11/11-10:40:57.546175  [**] [1:15306:4] WEB-CLIENT Portable Executable binary file transfer [**] [Classification: Misc 
activity] [Priority: 3] {TCP}
207.171.185.196:80 -> 10.21.0.16:1281

11/11-10:41:42.069675  [**] [1:648:10] SHELLCODE x86 NOOP [**] [Classification: Executable Code was Detected] [Priority: 
1] {TCP} 207.171.185.196:80 ->
10.21.0.16:1493

11/11-10:43:16.912596  [**] [1:5713:3] WEB-CLIENT Windows Metafile invalid header size integer overflow [**] 
[Classification: Attempted Administrator Privilege
Gain] [Priority: 1] {TCP} 65.55.69.143:80 -> 10.21.0.16:1491

11/11-10:45:35.275018  [**] [1:15362:1] WEB-CLIENT obfuscated javascript excessive fromCharCode - potential attack [**] 
[Classification: Misc activity]
[Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634

 

From pcap file:

10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack 1538376874, win 46, options [nop,nop,TS val 
285059531 ecr 843329], length 1388

10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack 3472428307, win 65535, length 1400

10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq 3387361148, win 65535, options [mss 
1460,nop,nop,sackOK], length 0

10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack 1095737173, win 65535, length 20

10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack 2060485191, win 7504, length 1400

10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack 1404174044, win 7066, length 1400

10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.], ack 2592865250, win 1023, length 1380

10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.], ack 87661050, win 65535, length 12

10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack 706084536, win 7504, length 1400

10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack 3592031382, win 7066, length 1400

10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq 2705613011, win 65535, options [mss 
1460,nop,nop,sackOK], length 0

10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack 2665905014, win 13936, length 1400

10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack 237172578, win 65535, length 1380

10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack 1349174870, win 49664, length 1380

10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack 1907873745, win 13425, length 1400

10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack 1374951746, win 7504, length 1400

 

 

From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Thursday, November 11, 2010 10:43 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Oddness with 16295

 

Bump…no takers on this?

 

From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Wednesday, November 10, 2010 10:52 AM
To: snort-users () lists sourceforge net
Subject: Oddness with 16295

 

So this is weird….looking at this hit:

 

11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional 
fields [**] [Classification: Attempted
User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385

 

Fairly certain it’s an fp, but…when I hit the pcap dump file, it doesn’t show….here’s consecutive hits in the alert 
file:

 

11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted 
User Privilege Gain] [Priority: 1] {TCP}
67.23.129.249:80 -> 10.21.0.16:64185

11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted 
User Privilege Gain] [Priority: 1] {TCP}
67.23.129.249:80 -> 10.21.0.16:64185

11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional 
fields [**] [Classification: Attempted
User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385

11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 
66.211.180.40:80

 

And from the pcapfile:

sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395

10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1081895485, win 4789, length 1400

10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1, win 4789, length 1400

10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack 2261207081, win 65535, length 536

 

So where did 16295 go?  A quick check for that IP gives nothing:

[10:48:24 jlay@goids:~/log$] sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 ip and host 204.11.109.23

reading from file internettcpdump.pcap.1289401395, link-type EN10MB (Ethernet)

[10:50:21 jlay@goids:~/log$]

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 



------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: