Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Weird double logging problem

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 19 Oct 2011 13:26:06 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all...

I've got Snort 2.9.1 in place (will try 2.9.1.1 shortly).

In testing load versus number of rules, I seem to have discovered that
I'm logging alerts twice.

I have the following simple test rule:
alert tcp any any -> any any (content:"GET /job/evil.exe ";
content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1;
sid:4100005; rev:1;)

If I test:
peter:~$ wget http://zoneseekers.com/job/evil.exe
- --2011-10-19 13:02:33--  http://zoneseekers.com/job/evil.exe
Resolving zoneseekers.com... 193.110.88.201
Connecting to zoneseekers.com|193.110.88.201|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2011-10-19 13:02:33 ERROR 404: Not Found.

And I've invoked snort (just to test) with:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -A console

18 Snort rules read
    18 detection rules
    0 decoder rules
    0 preprocessor rules
18 Option Chains linked into 14 Chain Headers
0 Dynamic rules
<SNIP>
afpacket DAQ configured to passive.
Acquiring network traffic from "eth1".
<SNIP>
       --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.1 IPv6 GRE (Build 71)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
<SNIP>
Commencing packet processing (pid=7217)
Decoding Ethernet
10/19-13:24:40.389403  [**] [1:4100005:1] Test GET /job/evil.exe [**]
[Priority: 0] {TCP} 193.60.246.200:46683 -> 193.110.88.201:80
10/19-13:24:40.389406  [**] [1:4100005:1] Test GET /job/evil.exe [**]
[Priority: 0] {TCP} 193.60.246.200:46683 -> 193.110.88.201:80

It is possible we're overloading our RSPAN port - but is there any
other reason why Snort might be alerting twice?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOnsHeAAoJELhVoVpEMS6Rr6QIAL/nIrhx6s23maTJqw336w3y
RcikWms/NnTFOWw2fFnCcj4hu+Lot2O06/0SC+GLthuTMzIchukSm5/PHNX/Y1yR
5y8MUZkjNSDuE1gxNNq25qUlAjCJOs+sO2J9h7lEFHTVigEmn49GnxXsu0LALTbn
NIqoyhHZEm4YFF7Q5il6pa4KNCQdB5brYli0bNPtneFN8stS++F34CUU9lndj61Q
SPdSLPLMNrqd1sbwHFK/y4pUKRBlTTuat55CYpiFEpdtnpANWSNJC/xowrH53IHf
n3xLJS/GJAHqNoshRZ7yQmpFoxvJZon0g4aULjQITaWbN8JxcDp/vSDvZWDwwdE=
=Pfix
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: