Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] FP on 2012886 but I don't see how

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 4 Aug 2011 13:13:19 -0400
I am wondering if Barnyard2 is logging the first packet, but not the tagged packet.

Can you use u2spewfoo that we include with Snort to look inside your unified2 file and find out if it's there.

<It's morning in Vegas and I'm not really awake yet.>

J

On Aug 4, 2011, at 12:56 PM, Weir, Jason wrote:


Not really sure how to answer that..

Unified2 -> barnyard2 -> mysql -> base?

-J


-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Thursday, August 04, 2011 12:53 PM
To: Weir, Jason
Cc: Emerging Sigs
Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how


How are you logging?

Sent from my iPhone

On Aug 3, 2011, at 13:05, "Weir, Jason" <jason.weir () nhrs org> wrote:


I think you were clear - my understanding not so much..  

You'd think it

would log the packet it alerts on...  Joel, is there a 

reason for this?


Thanks!
-J


-----Original Message-----
From: rmkml [mailto:rmkml () free fr] 
Sent: Wednesday, August 03, 2011 4:03 PM
To: Weir, Jason
Cc: Emerging Sigs; rmkml () free fr
Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how


Hi Jason,
Snort match on "first" payload packet and alert+write on pcap 
(because you use http_*,
unfortunately, your content searching (passwd) are on 
"second" payload packet...
sorry if Im not clear.
Regards
Rmkml



On Wed, 3 Aug 2011, Weir, Jason wrote:


Yes - but it looks like it alerted on packet 1 from your 

example - there

is no passwd= in packet 1...  Am I missing something in your
explanation?

-J


-----Original Message-----
From: rmkml [mailto:rmkml () free fr]
Sent: Wednesday, August 03, 2011 3:51 PM
To: Weir, Jason
Cc: Emerging Sigs; rmkml () free fr
Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how


Hi,
Excuse me, but what the pb? snort record only one packet by
alert, and http request allow spliting uri on "first" payload
packet and argument/value in "second" payload packet like
this for example:
1: POST /api/login/platintanium HTTP/1.1
  ....
2: a=b&passwd=example
Regards
Rmkml


On Wed, 3 Aug 2011, Joel Esler wrote:


Yes, please review the Snort.conf in the VRT rulepack as it

has our recommended default settings.


When we put out a new rulepack and I announce it on

http://blog.snort.org, I have a line in there that states if
we have made any changes to the Snort.conf with the rulepack.
We've haven't done one in awhile.


J

On Aug 3, 2011, at 3:05 PM, Weir, Jason wrote:


I see the manual has 262144 as the default, I'll start

there...  Manual

doesn't specify what gets used if option isn't set... As I

don't have

max_udp set...

-J


-----Original Message-----
From: emerging-sigs-bounces () emergingthreats net
[mailto:emerging-sigs-bounces () emergingthreats net] On Behalf
Of Weir, Jason
Sent: Wednesday, August 03, 2011 2:56 PM
To: Emerging Sigs
Subject: Re: [Emerging-Sigs] FP on 2012886 but I don't see how


Joel,

What would you recommend looks like I'm @ 8192 currently..

preprocessor stream5_global: max_tcp 8192, track_tcp yes,
track_udp yes,
track_icmp no max_active_responses 2 min_response_seconds 5

-J

-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Wednesday, August 03, 2011 2:52 PM
To: Weir, Jason
Cc: Emerging Sigs
Subject: Re: [Emerging-Sigs] FP on 2012886 but I 

don't see how



Can you increase your max sessions in stream5?  It looks like
you are maxed out.

--
Sent from my iPad
Please excuse the brevity

On Aug 3, 2011, at 2:45 PM, "Weir, Jason"

<jason.weir () nhrs org> wrote:



Debian\Snort 2.9.0.5

I don't think it's load related...

%CPU   PID USER     COMMAND
8.4 15845 snort    /usr/local/bin/snort -q -u snort 

-g snort -c

/etc/snort/snort.conf -i eth1
1.3 15846 root     /usr/local/bin/barnyard2 -q -c
/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log

blah blah blah


Output from snort perf monitor - consistently less than

.05% packet

loss, doesn't seem excessive to me, unless the switch

is dropping

packets before they get to the sensor..





1312388143,0.042,11.997,0.007,3.416,438,80.928,5.236,5.096,5.6

12,3.737,1





690,1738,213.762,0,293,0.021,0.003,0.003,0.003,0.000,0.003,16,

16,0,0,1,7





.715,0.612,91.672,11.997,0.000,0.000,0.700,12.697,438,452,1474

,409,437,3





.416,0.000,0.000,0.214,3.630,3077133,1295,0,4.448,0.134,3885,3

885,1738,2





10,400,1095,0.414,3.658,0.325,0.000,0.000,0,0,0.000,0,0.000,0,0,0,


-J


-----Original Message-----
From: Matthew Jonkman 

[mailto:jonkman () emergingthreatspro com]

Sent: Wednesday, August 03, 2011 2:33 PM
To: Weir, Jason
Cc: Emerging Sigs
Subject: Re: [Emerging-Sigs] FP on 2012886 but I 

don't see how



That ain't right...

Which engine/version/platform?

Overloaded? Any significant packet dropping going on?

Matt


On Aug 3, 2011, at 2:16 PM, Weir, Jason wrote:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS

(msg:"ET POLICY

Http Client Body contains passwd= in cleartext";
flow:established,to_server; content:"passwd="; nocase;

http_client_body;

classtype:policy-violation; sid:2012886; rev:1;)

Triped on this

POST /api/login/platintanium HTTP/1.1
Host: www.reddit.com
Connection: keep-alive
Referer: http://www.reddit.com/
Content-Length: 83
Origin: http://www.reddit.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1

(KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1

Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie:

__utma=55650728.1511640242.1305205532.1310644711.1310647724.19
;
__utmz=55650728.1305205532.1.1.utmcsr=(direct)|utmccn=(direct)
|utmcmd=(none); _recentclicks2=t3_j7ryz%2C; _last_thing=;
reddit_first=%7B%22organic_pos%22%3A%2057%2C%20%22firsttime%22
%3A%20%22first%22%7D

-J



_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: