Re: Can't alert on most

[Doug Burks <doug.burks () gmail com>]

Hi Michael,

You might consider installing Security Onion (based on Ubuntu 12.04
and includes Snort 2.9.5.6) in another VM and comparing it to your
existing Ubuntu VM.

http://securityonion.net

On Wed, Mar 5, 2014 at 7:45 AM, Michael Wisniewski <wiz561 () gmail com> wrote:
> Please see quoted text below for answers...
>
>
> On Tue, Mar 4, 2014 at 5:38 PM, waldo kitty <wkitty42 () windstream net> wrote:
> > On 3/4/2014 2:36 PM, Michael Wisniewski wrote:
> > > Thanks for the response.  I might try another version of Snort to see if
> > > this
> > > fixes the problem.
> >
> > doubtful since 2.9.6.0 is the latest version ;)
> >
> > the real question is if snort is seeing all the traffic AND if your
> > HOME_NET and
> > EXTERNAL_NET are set correctly for your network... [reading on] looking at
> > your
> > snort.conf, it would appear that they are "ok"...
> >
> > then the question is where did the pcap from and was it recorded with the
> > same
> > IPs as your settings...
>
>
> The pcap was taken in the virtual machine that snort is running on.
> Basically, same machine and name NIC that snort captures traffic on.
>
> > > My concern is that since it's my first and new install of
> > > Snort and it's in a virtual environment, something strange is going on
> > > with the
> > > packets because 99% of the time, it's something I'm doing wrong and it's
> > > not the
> > > product thats the problem.
> >
> > VMs bring a whole other aspect which can cause problems in a lot of
> > situations... we see them with the firewall i support when folks set up
> > their
> > VMs and share one physical NIC for all their interfaces... in this case,
> > it is
> > possible that there is a backdoor path that allows traffic to go around
> > the
> > firewall instead of through it... trying to explain this to folks can be
> > troublesome but when they finally set it up on real iron, they can see
> > things
> > working like they should... that's generally when the bulb lights and they
> > see
> > the errors in the light ;)
>
>
> I totally understand.  This is why I originally wrote here and decided to
> take the pcap.  I was afraid that traffic may not be getting seen by the
> snort box.  I figured that if I took the pcap and had somebody else check
> it, I could narrow down if it's the virtual machine or if it's snort.  Since
> others have shows the proper snort alerts on my pcap, I am guessing it's
> something to do with the snort config.  More on this later...
>
> > > I ended up taking a tcpdump on the interface from the box I have snort
> > > running
> > > on and then completing a nikto scan from an outside IP.  Snort didn't
> > > identify
> > > much....  Basically, the following was found:
> > >
> > > stream5: Data sent on stream after TCP Reset
> > > http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> > > http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
> > > http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
> > > http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
> > > http_inspect: UNKNOWN METHOD
> > > Snort Alert [119:33:1]
> > > http_inspect: LONG HEADER
> > >
> > > I even read the pcap into snort and found the same alerts.
> >
> > that's to be expected since snort sees the same things that tcpdump has
> > recorded... again, though, there's something in the settings or in the
> > compile
> > that isn't what probably should be...
> >
> > now that i've mentioned the compile, did you compile this snort yourself?
> > what
> > OS are you running it on? what parameters did you use when you compiled it
> > if
> > you did?
>
>
> I did compile Snort myself.  I just used './configure' without any options.
> I'm running it on Ubuntu 12.04 x86_64 with everything patched and up to
> date.  I tried the snort version in the Ubuntu repo, but it's a little
> outdated...and I want to say I can't even get the latest rules for it
> anymore.
>
> [...]
> > > My point was that Snort is actually seeing some stuff, but is missing
> > > almost
> > > everything important.  I'll attach two files below; me reading the pcap
> > > in
> > > snort and my snort.conf file.  If somebody can suggest anything, that
> > > would
> > > be great.
> >
> > a quick look showed nothing out of sorts but it was very quick... i may be
> > able
> > to get some time later to study it further but i've been on 48 hour days
> > for a
> > while (up from 36 hour days) and there's still not enough time to get
> > everything
> > done ;) %) :lol:
> >
> > anyway, hopefully someone else will also take a look and possibly find
> > something... you might want to take a look at virustotal's stuff again and
> > see
> > if they offer a way of comparing the confs... i don't know as i've not
> > used that
> > service of their's...
>
>
> Any light that might be shed on this problem would be great.  I have a
> feeling that I'm getting closer trying to solve it.  I am thinking that
> somehow pulledpork isn't putting all the rules inside of snort.  With the
> assistance of another member on the list, I took a closer look at the
> pulledpork responses and noticed that only 6k alerts are getting put in
> while 15k are disabled.  For whatever reason, pulledpork isn't enabling
> rules when I was running it.  I edited the /etc/snort/rules/snort.rules file
> and uncommented out all the disabled rules.  Snort now sees ~20k rules
> enabled, but it's still not flagging them.
>
> This is making me wonder if the rules are disabled somewhere else, or if
> Snort may not be able to use them because a prerequisite decoder can't be
> found.
>
>
> Thanks all for the help and assistance.
>
>
>
>
>
> > --
> > NOTE: No off-list assistance is given without prior approval.
> >        Please keep mailing list traffic on the list unless
> >        private contact is specifically requested and granted.
> >
> >
> > ------------------------------------------------------------------------------
> > Subversion Kills Productivity. Get off Subversion & Make the Move to
> > Perforce.
> > With Perforce, you get hassle-free workflows. Merge that actually works.
> > Faster operations. Version large binaries.  Built-in WAN optimization and
> > the
> > freedom to use Git, Perforce or both. Make the move to Perforce.
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries.  Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!