Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Decoder Alerts (config options ignored?)

From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 24 Jan 2012 10:13:07 -0500
On Fri, Jan 20, 2012 at 8:29 PM, Code Six <code.c6 () gmail com> wrote:


Sorry forgot to hit Replay All :)


I have one configuration file specified snort.conf



I have  a BPF configuration file specified and that is all that is
included in the startup.



Snort is started with the following:

snort -vv -D -q -u snort -g snort -c /etc/snort/rules/snort.conf -i $INT
-F /etc/snort/excludes/excludes.config



I put the –snaplen 1518 in there to get rid of some of the noise generated
by the decoder alerts due to it ignoring the disable_decode_alerts
configuration item.



I have 3 sensors – 2 are on ubunto and 1 on debian



The debian sensor doesn’t appear to have these issues but are running
2.9.0.5 at this time.

The ubuntu sensors were upgraded to 2.9.2.0 – I have reverted them back to
2.8.6.1 as I have been unsuccessful at determining why that configuration
line is being ignored.

Both ubunto sensors operate independent of each other and have their own
configs.

The debian server also operates independent of the other two and has it’s
own config.



There are not multiple configs unless the installation when started reads
a default location unknown to me other than the one specified by –c in the
startup.



There is only one snort.conf in the location specified on both servers.

I find it extremely odd that not one, but both ubuntu servers are
experiencing this issue.



This issue occurs regardless of compiling with
–enable-decoder-preprocessor-rules or not.

I can disable all rules in the rules directory and in the configuration
file – and this issue still occurs.

Even starting it manually without the above options – this still occurs.



I am quite perplexed. I’m ready to upgrade my hardware and throw debian or
red hat on the new boxes and start over.


What’s even more crazy is the following from the initialization output:



Jan 19 14:35:12 ids1 snort[24319]: 13391 Snort rules read

Jan 19 14:35:12 ids1 snort[24319]:     13138 detection rules

Jan 19 14:35:12 ids1 snort[24319]:     0 decoder rules

Jan 19 14:35:12 ids1 snort[24319]:     253 preprocessor rules

Jan 19 14:35:12 ids1 snort[24319]: 13391 Option Chains linked into 735
Chain Headers

Jan 19 14:35:12 ids1 snort[24319]: 0 Dynamic rules

Jan 19 14:35:12 ids1 snort[24319]:
+++++++++++++++++++++++++++++++++++++++++++++++++++



Notice 0 decoder rules loaded?

But yet I still get these



Jan 19 14:35:31 neo-edgeids1 snort[24320]: (snort_decoder) WARNING:
Experimental Tcp Options found

Jan 19 14:35:31 neo-edgeids1 snort[24320]: (snort_decoder) WARNING:
Experimental Tcp Options found

Jan 19 14:35:31 neo-edgeids1 snort[24320]: (snort_decoder) WARNING:
Experimental Tcp Options found

And I had to suppress everything else – I suppressed the entire listing of
decoder rules because the config option to disable them isn’t working.



Now if what you are saying is I can’t have two config lines in the startup
command from any option –c (config) –F (bpf) or anything then that should
be explicitly stated in the manual.

As the manual reads “multiple configs” as though it means multiple
“snort.conf” or base configuration files.



Yes, it means multiple snort.conf type configs.  The -F <bpf> is entirely
different.

Do you have "config autogenerate_preprocessor_decoder_rules" enabled?

Check your logs for "Generating OTN for GID: 116, SID: XXX" messages.




Please clarify!



Thank you,



A.     A.  Smith




On Fri, Jan 20, 2012 at 4:52 PM, Russ Combs <rcombs () sourcefire com> wrote:


This is in the manual (section 2.10.2) and in README.multipleconfigs:

The following config options are specific to each configuration. If not
defined
in a configuration, the default values of the option (not the default
configuration values) take effect.

config checksum_drop
config disable_decode_alerts
config disable_decode_drops
config disable_ipopt_alerts
config disable_ipopt_drops
config disable_tcpopt_alerts
config disable_tcpopt_drops
config disable_tcpopt_experimental_alerts
config disable_tcpopt_experimental_drops
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_obsolete_drops
config disable_ttcp_alerts
config disable_tcpopt_ttcp_alerts
config disable_ttcp_drops

Are you saying that is not working for you?

On Fri, Jan 20, 2012 at 1:34 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:


There has been a bug in Snort for quite a while when you are using
multiple configs, the disable_decode stuff is ignored for the extra configs
(only seems to be respected for the default/main config).  I don’t know if
that has been fixed in the latest version?****

** **

*From:* Code Six [mailto:code.c6 () gmail com]
*Sent:* Thursday, January 19, 2012 10:42 AM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] Decoder Alerts (config options ignored?)****

** **

** **


The last time I e-mailed in about this I don't believe I received a
response and I ended up simply reverting back to the older version that
worked fine.
Well, I've attempted to upgrade again - from 2.8.6.1 to 2.9.2

Here's the issue:
Even with the following set:


config disable_decode_alerts
config checksum_mode: noudp noip notcp
config disable_tcpopt_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_ipopt_alerts

I'm still getting the full list of decoder alerts in my traffic.

I start snort with the following options:
-vv -D -q -u snort -g snort -c /etc/snort/rules/snort.conf -i $INT -F
/etc/snort/excludes/excludes.config --snaplen 1518

The snaplen set to 1518 seems to help with one particular alert
(WARNING: IP dgm len > captured len), but I have had to suppress all the
decoder alerts.
The one I can't get rid of is  WARNING: Experimental Tcp Options found
Even though that also is disabled in the config.

This is on an ubuntu machine (lucid) 10.04

Snort was configured with the following options:
./configure --enable-64bit-gcc --enable-ipv6 --enable-ppm
--enable-perfprofiling --enable-linux-smp-stats --enable-pthread
--enable-ppm-test --enable-reload --with-mysql --enable-large-pcap
--enable-decoder-preprocessor-rules --enable-dynamicplugin

Any insight is appreciated as I I'm likely just missing something
obvious.

Thank you!

A.****

** **


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: