Re: Snort not logging all alerts in pcap (was Oddness with 16295)

[James Lay <jlay () slave-tothe-box net>]

Hrmm.  Well, this is snort 2.9.0.1.  I've recompiled it without gre and
performance stats so we'll see what happens.

James

On 11/13/10 5:25 AM, "rmkml" <rmkml () yahoo fr> wrote:

> Hi James,
> It's perfect, what's pb?
> If I remember correctly, snort write only one packet on pcap file for one
> alert... (not stream reassembly)
> What snort version you use?
> Maybe snort "drop" packet? read your log for stat packets or send 'kill
> -USR1 snort_pid'...
> Regards
> Rmkml
>
>
> On Thu, 11 Nov 2010, Lay, James wrote:
>
> > OK so now I¹m sure there¹s an issue.  Below are more
> > examplesŠeverything is fine until alert timestamps 11/11-10:38:38.577756
> > and 11/11-10:38:38.818757Šthey are
> > simply not there in the corresponding pcap file.  My settings are as
> > follows:
> >
> >  
> >
> > output alert_fast: internetalert.fast
> >
> > output log_tcpdump: internettcpdump.pcap
> >
> >  
> >
> > Any reason some packets aren¹t getting logged in the pcap file?  Any
> > pointers would be excellent.
> >
> >  
> >
> > James 
> >
> >  
> >
> > [10:45:48 jlay@goids:~/log$] sudo tail -n 20 internetalert.fast
> >
> > 11/11-10:26:15.284212  [**] [1:2008418:4] ET POLICY Metasploit
> > Framework Update [**] [Classification: Misc activity] [Priority: 3]
> > {TCP} 216.75.1.230:443 ->
> > 10.21.0.9:53302
> >
> > 11/11-10:27:41.141234  [**] [1:15306:4] WEB-CLIENT Portable Executable
> > binary file transfer [**] [Classification: Misc activity] [Priority: 3]
> > {TCP}
> > 68.142.93.133:80 -> 10.21.0.16:62912
> >
> > 11/11-10:27:58.026044  [**] [1:2406512:194] ET RBN Known Russian
> > Business Network IP TCP (257) [**] [Classification: Misc Attack]
> > [Priority: 2] {TCP}
> > 10.21.0.16:62962 -> 85.17.84.214:80
> >
> > 11/11-10:30:04.970609  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
> > CHAR [**] [Priority: 3] {TCP} 10.21.0.16:63283 -> 199.7.50.72:80
> >
> > 11/11-10:30:36.362238  [**] [1:15362:1] WEB-CLIENT obfuscated
> > javascript excessive fromCharCode - potential attack [**]
> > [Classification: Misc activity]
> > [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:63388
> >
> > 11/11-10:30:44.274148  [**] [1:15362:1] WEB-CLIENT obfuscated
> > javascript excessive fromCharCode - potential attack [**]
> > [Classification: Misc activity]
> > [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:63427
> >
> > 11/11-10:32:33.810911  [**] [1:15362:1] WEB-CLIENT obfuscated
> > javascript excessive fromCharCode - potential attack [**]
> > [Classification: Misc activity]
> > [Priority: 3] {TCP} 64.75.15.140:80 -> 10.21.10.225:59450
> >
> > 11/11-10:34:04.413890  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
> > CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64094 -> 173.204.52.197:80
> >
> > 11/11-10:35:42.820754  [**] [1:15362:1] WEB-CLIENT obfuscated
> > javascript excessive fromCharCode - potential attack [**]
> > [Classification: Misc activity]
> > [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:64404
> >
> > 11/11-10:35:49.670676  [**] [1:15362:1] WEB-CLIENT obfuscated
> > javascript excessive fromCharCode - potential attack [**]
> > [Classification: Misc activity]
> > [Priority: 3] {TCP} 66.150.28.142:80 -> 10.21.0.16:64432
> >
> > 11/11-10:38:00.626191  [**] [1:2406512:194] ET RBN Known Russian
> > Business Network IP TCP (257) [**] [Classification: Misc Attack]
> > [Priority: 2] {TCP}
> > 10.21.0.16:64881 -> 85.17.84.212:80
> >
> > 11/11-10:38:38.577756  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
> > Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
> > [Classification:
> > Attempted Denial of Service] [Priority: 2] {TCP} 96.6.2.125:80 ->
> > 10.21.0.16:64991
> >
> > 11/11-10:38:38.818757  [**] [1:17487:1] WEB-CLIENT Microsoft Internet
> > Explorer Script Engine Stack Exhaustion Denial of Service attempt [**]
> > [Classification:
> > Attempted Denial of Service] [Priority: 2] {TCP} 72.246.94.34:80 ->
> > 10.21.0.16:64835
> >
> > 11/11-10:38:46.511664  [**] [1:2010786:4] ET POLICY Facebook Chat
> > (settings) [**] [Classification: Potential Corporate Privacy Violation]
> > [Priority: 1] {TCP}
> > 10.21.0.16:65098 -> 66.220.146.32:80
> >
> > 11/11-10:40:49.997265  [**] [1:15362:1] WEB-CLIENT obfuscated
> > javascript excessive fromCharCode - potential attack [**]
> > [Classification: Misc activity]
> > [Priority: 3] {TCP} 64.210.194.188:80 -> 10.21.0.16:1181
> >
> > 11/11-10:40:57.546175  [**] [1:15306:4] WEB-CLIENT Portable Executable
> > binary file transfer [**] [Classification: Misc activity] [Priority: 3]
> > {TCP}
> > 207.171.185.196:80 -> 10.21.0.16:1281
> >
> > 11/11-10:41:42.069675  [**] [1:648:10] SHELLCODE x86 NOOP [**]
> > [Classification: Executable Code was Detected] [Priority: 1] {TCP}
> > 207.171.185.196:80 ->
> > 10.21.0.16:1493
> >
> > 11/11-10:43:16.912596  [**] [1:5713:3] WEB-CLIENT Windows Metafile
> > invalid header size integer overflow [**] [Classification: Attempted
> > Administrator Privilege
> > Gain] [Priority: 1] {TCP} 65.55.69.143:80 -> 10.21.0.16:1491
> >
> > 11/11-10:45:35.275018  [**] [1:15362:1] WEB-CLIENT obfuscated
> > javascript excessive fromCharCode - potential attack [**]
> > [Classification: Misc activity]
> > [Priority: 3] {TCP} 97.65.104.17:80 -> 10.21.0.16:2634
> >
> >  
> >
> > From pcap file:
> >
> > 10:26:15.284212 IP 216.75.1.230.443 > 10.21.0.9.53302: Flags [.], ack
> > 1538376874, win 46, options [nop,nop,TS val 285059531 ecr 843329],
> > length 1388
> >
> > 10:27:41.141234 IP 68.142.93.133.80 > 10.21.0.16.62912: Flags [.], ack
> > 3472428307, win 65535, length 1400
> >
> > 10:27:58.026044 IP 10.21.0.16.62962 > 85.17.84.214.80: Flags [S], seq
> > 3387361148, win 65535, options [mss 1460,nop,nop,sackOK], length 0
> >
> > 10:30:04.970609 IP 10.21.0.16.63283 > 199.7.50.72.80: Flags [P.], ack
> > 1095737173, win 65535, length 20
> >
> > 10:30:36.362238 IP 64.210.194.188.80 > 10.21.0.16.63388: Flags [.], ack
> > 2060485191, win 7504, length 1400
> >
> > 10:30:44.274148 IP 66.150.28.142.80 > 10.21.0.16.63427: Flags [.], ack
> > 1404174044, win 7066, length 1400
> >
> > 10:32:33.810911 IP 64.75.15.140.80 > 10.21.10.225.59450: Flags [P.],
> > ack 2592865250, win 1023, length 1380
> >
> > 10:34:04.413890 IP 10.21.0.16.64094 > 173.204.52.197.80: Flags [P.],
> > ack 87661050, win 65535, length 12
> >
> > 10:35:42.820754 IP 64.210.194.188.80 > 10.21.0.16.64404: Flags [.], ack
> > 706084536, win 7504, length 1400
> >
> > 10:35:49.670676 IP 66.150.28.142.80 > 10.21.0.16.64432: Flags [.], ack
> > 3592031382, win 7066, length 1400
> >
> > 10:38:00.626191 IP 10.21.0.16.64881 > 85.17.84.212.80: Flags [S], seq
> > 2705613011, win 65535, options [mss 1460,nop,nop,sackOK], length 0
> >
> > 10:40:49.997265 IP 64.210.194.188.80 > 10.21.0.16.1181: Flags [.], ack
> > 2665905014, win 13936, length 1400
> >
> > 10:40:57.546175 IP 207.171.185.196.80 > 10.21.0.16.1281: Flags [.], ack
> > 237172578, win 65535, length 1380
> >
> > 10:41:42.069675 IP 207.171.185.196.80 > 10.21.0.16.1493: Flags [.], ack
> > 1349174870, win 49664, length 1380
> >
> > 10:43:16.912596 IP 65.55.69.143.80 > 10.21.0.16.1491: Flags [P.], ack
> > 1907873745, win 13425, length 1400
> >
> > 10:45:35.275018 IP 97.65.104.17.80 > 10.21.0.16.2634: Flags [.], ack
> > 1374951746, win 7504, length 1400
> >
> >  
> >
> >  
> >
> > From: Lay, James [mailto:james.lay () wincofoods com]
> > Sent: Thursday, November 11, 2010 10:43 AM
> > To: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Oddness with 16295
> >
> >  
> >
> > BumpŠno takers on this?
> >
> >  
> >
> > From: Lay, James [mailto:james.lay () wincofoods com]
> > Sent: Wednesday, November 10, 2010 10:52 AM
> > To: snort-users () lists sourceforge net
> > Subject: Oddness with 16295
> >
> >  
> >
> > So this is weirdŠ.looking at this hit:
> >
> >  
> >
> > 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
> > library heap buffer overflow - without optional fields [**]
> > [Classification: Attempted
> > User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 ->
> > 10.21.0.16:64385
> >
> >  
> >
> > Fairly certain it¹s an fp, butŠwhen I hit the pcap dump file, it
> > doesn¹t showŠ.here¹s consecutive hits in the alert file:
> >
> >  
> >
> > 11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file
> > memory corruption [**] [Classification: Attempted User Privilege Gain]
> > [Priority: 1] {TCP}
> > 67.23.129.249:80 -> 10.21.0.16:64185
> >
> > 11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file
> > memory corruption [**] [Classification: Attempted User Privilege Gain]
> > [Priority: 1] {TCP}
> > 67.23.129.249:80 -> 10.21.0.16:64185
> >
> > 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
> > library heap buffer overflow - without optional fields [**]
> > [Classification: Attempted
> > User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 ->
> > 10.21.0.16:64385
> >
> > 11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED
> > CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80
> >
> >  
> >
> > And from the pcapfile:
> >
> > sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395
> >
> > 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
> > 1081895485, win 4789, length 1400
> >
> > 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack
> > 1, win 4789, length 1400
> >
> > 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack
> > 2261207081, win 65535, length 536
> >
> >  
> >
> > So where did 16295 go?  A quick check for that IP gives nothing:
> >
> > [10:48:24 jlay@goids:~/log$] sudo tcpdump -n -s 1524 -r
> > internettcpdump.pcap.1289401395 ip and host 204.11.109.23
> >
> > reading from file internettcpdump.pcap.1289401395, link-type EN10MB
> > (Ethernet)
> >
> > [10:50:21 jlay@goids:~/log$]
> >
> >  
> >
> > James Lay
> >
> > IT Security Analyst
> >
> > WinCo Foods
> >
> > 208-672-2014 Office
> >
> > 208-559-1855 Cell
> >
> > 650 N Armstrong Pl.
> >
> > Boise, Idaho 83704
> >
> >  
> >
> >
> > -------------------------------------------------------------------------
> > -----
> Centralized Desktop Delivery: Dell and VMware Reference Architecture
> Simplifying enterprise desktop deployment and management using
> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
> client virtualization framework. Read more!
> http://p.sf.net/sfu/dell-eql-dev2dev______________________________________
> _________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users