Snort mailing list archives
Re: Weird double logging problem
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Wed, 19 Oct 2011 08:42:26 -0400
There is a small difference in the time of those 2 alerts. I would take a tcpdump of your test to make sure you really are not sending 2 requests. Especially since the file is not actually there. On Wed, Oct 19, 2011 at 8:26 AM, Peter Bates <peter.bates () ucl ac uk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all... I've got Snort 2.9.1 in place (will try 2.9.1.1 shortly). In testing load versus number of rules, I seem to have discovered that I'm logging alerts twice. I have the following simple test rule: alert tcp any any -> any any (content:"GET /job/evil.exe "; content:"Host: zoneseekers.com"; msg:"Test GET /job/evil.exe"; gid:1; sid:4100005; rev:1;) If I test: peter:~$ wget http://zoneseekers.com/job/evil.exe - --2011-10-19 13:02:33-- http://zoneseekers.com/job/evil.exe Resolving zoneseekers.com... 193.110.88.201 Connecting to zoneseekers.com|193.110.88.201|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2011-10-19 13:02:33 ERROR 404: Not Found. And I've invoked snort (just to test) with: /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -A console 18 Snort rules read 18 detection rules 0 decoder rules 0 preprocessor rules 18 Option Chains linked into 14 Chain Headers 0 Dynamic rules <SNIP> afpacket DAQ configured to passive. Acquiring network traffic from "eth1". <SNIP> --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.1 IPv6 GRE (Build 71) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 <SNIP> Commencing packet processing (pid=7217) Decoding Ethernet 10/19-13:24:40.389403 [**] [1:4100005:1] Test GET /job/evil.exe [**] [Priority: 0] {TCP} 193.60.246.200:46683 -> 193.110.88.201:80 10/19-13:24:40.389406 [**] [1:4100005:1] Test GET /job/evil.exe [**] [Priority: 0] {TCP} 193.60.246.200:46683 -> 193.110.88.201:80 It is possible we're overloading our RSPAN port - but is there any other reason why Snort might be alerting twice? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOnsHeAAoJELhVoVpEMS6Rr6QIAL/nIrhx6s23maTJqw336w3y RcikWms/NnTFOWw2fFnCcj4hu+Lot2O06/0SC+GLthuTMzIchukSm5/PHNX/Y1yR 5y8MUZkjNSDuE1gxNNq25qUlAjCJOs+sO2J9h7lEFHTVigEmn49GnxXsu0LALTbn NIqoyhHZEm4YFF7Q5il6pa4KNCQdB5brYli0bNPtneFN8stS++F34CUU9lndj61Q SPdSLPLMNrqd1sbwHFK/y4pUKRBlTTuat55CYpiFEpdtnpANWSNJC/xowrH53IHf n3xLJS/GJAHqNoshRZ7yQmpFoxvJZon0g4aULjQITaWbN8JxcDp/vSDvZWDwwdE= =Pfix -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Jason Wallace (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Joel Esler (Oct 19)
- Re: Weird double logging problem Peter Bates (Oct 19)
- Re: Weird double logging problem Jason Wallace (Oct 19)