Snort mailing list archives
Re: SWF/PDF Decompression
From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
Date: Fri, 18 Dec 2015 11:57:38 -0000
Thanks Carter for your reply, your answer was in fact right on the money. I am building from Source, but I had forgotten one important piece of the jigsaw puzzle. I was originally using the Debian 'Jessy' Operating System, but had recently replaced it with the Lite version of 'Jessy', which it appears does not come with the lzma-dev package. I wasn't aware of that. Peace and calm is now restored:-) Best regards, Simon. -----Original Message----- From: snort-devel-request () lists sourceforge net [mailto:snort-devel-request () lists sourceforge net] Sent: 18 December 2015 11:10 To: snort-devel () lists sourceforge net Subject: Snort-devel Digest, Vol 113, Issue 14 Send Snort-devel mailing list submissions to snort-devel () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists sourceforge net You can reach the person managing the list at snort-devel-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. SWF/PDF Decompression (Simon Wesseldine) 2. Re: SWF/PDF Decompression (Carter Waxman (cwaxman)) 3. Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 (Dheeraj Gupta) ---------------------------------------------------------------------- Message: 1 Date: Thu, 17 Dec 2015 09:18:50 -0000 From: "Simon Wesseldine" <simon.wesseldine () idappcom com> Subject: [Snort-devel] SWF/PDF Decompression To: <snort-devel () lists sourceforge net> Message-ID: <002101d138ab$f19a4f40$d4ceedc0$@wesseldine () idappcom com> Content-Type: text/plain; charset="us-ascii" Hi, has anybody else run into problems with version 2.9.8.0 and PDF/SWF Decompression. I am getting an error when running a configuration file that contains these keywords: decompress_swf decompress_pdf Snort will not load and I get an error pointing to these keywords being included. If I remove the keywords, then Snort will load fine. My configuration file was working in the previous version of Snort. I am using 'extended_response_inspection' as well. Best regards, Simon. -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Thu, 17 Dec 2015 14:16:28 +0000 From: "Carter Waxman (cwaxman)" <cwaxman () cisco com> Subject: Re: [Snort-devel] SWF/PDF Decompression To: Simon Wesseldine <simon.wesseldine () idappcom com>, "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge net> Message-ID: <D2982D0C.311E0%cwaxman () cisco com> Content-Type: text/plain; charset="us-ascii" Hi Simon, Are you installing from source or an rpm? You need to have the LZMA development libraries on your system when building to use these options (usually packaged as lzma-dev or lzma-devel). Thanks, Carter From: Simon Wesseldine <simon.wesseldine () idappcom com<mailto:simon.wesseldine () idappcom com>> Date: Thursday, December 17, 2015 at 4:18 AM To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net> " <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: [Snort-devel] SWF/PDF Decompression
Hi,
has anybody else run into problems with version 2.9.8.0 and PDF/SWF
Decompression.
I am getting an error when running a configuration file that contains these
keywords:
decompress_swf
decompress_pdf
Snort will not load and I get an error pointing to these keywords being
included.
If I remove the keywords, then Snort will load fine.
My configuration file was working in the previous version of Snort.
I am using 'extended_response_inspection' as well.
Best regards,
Simon.
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Fri, 18 Dec 2015 16:39:59 +0530
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Subject: Re: [Snort-devel] Large Packet Drop with SNort-2.9.80 as
compared to Snort-2.9.7.6
To: "Nageswara Rao A.V.K (navk)" <navk () cisco com>
Cc: "snort-devel () lists sourceforge net"
<snort-devel () lists sourceforge net>
Message-ID:
<CAOsL98NQVvw7CBqnktXbD0uVe+0e1vWcx0GHaFeoiF-9rmchYA () mail gmail com>
Content-Type: text/plain; charset="utf-8"
Hi,
I am also confused about the drop count. This is what I got after a separate
brief snort run (on a different machine)
============================================================================
===
Run time for packet processing was 497.799669 seconds Snort processed
7139620 packets.
Snort ran for 0 days 0 hours 8 minutes 17 seconds
Pkts/min: 892452
Pkts/sec: 14365
============================================================================
===
Packet I/O Totals:
Received: 14977160
Analyzed: 7139620 ( 47.670%)
Dropped: 11666105 ( 43.786%)
Filtered: 7046472 ( 47.048%)
Outstanding: 791068 ( 5.282%)
Injected: 0
============================================================================
===
The totals and percentages do not tally. Can someone explain how filtered,
received, analyzed and dropped numbers should be interpreted?
Regards,
Dheeraj
On Thu, Dec 17, 2015 at 11:46 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>
wrote:
Hi, The test was run for the same PCAP so number of packets is same in both cases (9220233). The packet I/O totals as output by two snorts are: Snort-2.9.8.0 ------------------------ ====================================================================== ========= Run time for packet processing was 783.512468 seconds Snort processed 9220233 packets. Snort ran for 0 days 0 hours 13 minutes 3 seconds Pkts/min: 709248 Pkts/sec: 11775 ====================================================================== ========= ====================================================================== ========= Packet I/O Totals: Received: 9220233 Analyzed: 9220233 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 ====================================================================== ========= Snort-2.9.7.6 ----------------------- ====================================================================== ========= Run time for packet processing was 547.131014 seconds Snort processed 9220233 packets. Snort ran for 0 days 0 hours 9 minutes 7 seconds Pkts/min: 1024470 Pkts/sec: 16856 ====================================================================== ========= ====================================================================== ========= Packet I/O Totals: Received: 9220233 Analyzed: 9220233 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 ====================================================================== ========= Again as the test is against a static PCAP, there will be no drops. However, in this test Snort-2.9.8.0 is almost 30% slower (processes about 11.7K pkts/s as against 16.8K pkts/s) than Snort-2.9.7.6. When used with live traffic, wouldn't this cause increased packet drops? Regards, Dheeraj On Wed, Dec 16, 2015 at 8:02 PM, Nageswara Rao A.V.K (navk) < navk () cisco com> wrote:You did not provide ?Packet I/O Totals:? for this test. We have to compare that data. I don?t think previous stats will applicable here. Because the number of pkts are different here. Best Regards, -ANR *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 () gmail com] *Sent:* Wednesday, December 16, 2015 5:16 PM *To:* Nageswara Rao A.V.K (navk) *Cc:* snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Hi, I captured a large PCAP (6.6G ~9M packets) and analyzed it through both Snort-2.9.7.6 and 2.9.8.0 with almost identical configuration file (memcap etc.). Since SO rules for Snort-2.9.7.6 cannot be used with 2.9.8.0, so number of rules for 2.9.8.0 was less (about 11k) as compared to 2.9.7.6 (12k). Here is a summary of end of run stats Snort-2.9.7.6 ===================================================================== ========== Run time for packet processing was 547.131014 seconds Snort processed 9220233 packets. Snort ran for 0 days 0 hours 9 minutes 7 seconds Pkts/min: 1024470 Pkts/sec: 16856 ===================================================================== ========== Snort-2.9.8.0 ===================================================================== ========== Run time for packet processing was 783.512468 seconds Snort processed 9220233 packets. Snort ran for 0 days 0 hours 13 minutes 3 seconds Pkts/min: 709248 Pkts/sec: 11775 ===================================================================== ========== snort.conf is attached On Tue, Dec 15, 2015 at 10:03 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote: Hi, The traffic is captured from a live interface, so it is not exactly same. However, it is from the same network and same network filter over a contiguous time range. So, characteristics of the trafic are broadly the same i.e. most of it is user browsing data. The reason I wrote this e-mail is because on a weekday, we have an average 100-150 Mbps on the wire and Snort-2.9.7.6 reported less losses (<10%). However, Snort-2.9.8.0 reported over 40% drops with comparable traffic load/pattern. Snort logs do not have any additional entry apart from session pruned due to timeout/stale (same in both cases). Regards, Dheeraj On Tue, Dec 15, 2015 at 8:43 AM, Nageswara Rao A.V.K (navk) < navk () cisco com> wrote: Hi Dheeraj, We need more info to get in to conclusion. Are you passing same traffic in both scenario?s?? Did you verify snort logs ?? You may know the reason for pkt drops. We did not notice this problems in our observation. More details may help us to analyze the problem. Best Regards, -ANR *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 () gmail com] *Sent:* Monday, December 14, 2015 11:30 AM *To:* snort-devel () lists sourceforge net *Subject:* [Snort-devel] Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Hi, I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade one of my sensors showed (somewhat expected) packet drops. However, after the upgrade the packet drop increased significantly even though the number of rules decreased (as SO rules are not in use with 2.9.8.0). I am still using Snort-2.9.7.6 rulesets (as advised by
you).
Here is a snip from my snort.stats file for 2.9.8.0 #time,pkt_drop_percent,wire_mbits_per_sec.realtime 1450068900,33.873,124.415 1450069200,23.718,121.253 1450069500,26.014,120.349 1450069800,26.368,120.821 1450070100,23.706,116.493 1450070400,21.039,121.363 For Snort-2.9.7.6, the snip is #time,pkt_drop_percent,wire_mbits_per_sec.realtime 1450071180,0.000,79.159 1450071480,0.000,118.671 1450071780,2.146,132.186 1450072080,8.337,130.408 Looking at end-of-snort stats. This is for 2.9.8.0 Packet I/O Totals: Received: 804563792 Analyzed: 388361098 ( 48.270%) Dropped: 298207658 ( 27.042%) Filtered: 415840607 ( 51.685%) Outstanding: 362087 ( 0.045%) Injected: 0 And this is for 2.9.7.6 Packet I/O Totals: Received: 60969886 Analyzed: 30035104 ( 49.262%) Dropped: 742645 ( 1.203%) Filtered: 30927585 ( 50.726%) Outstanding: 7197 ( 0.012%) Injected: 0 I have a longish BPF filter, so is the filtered count an indication of the amount of traffic which was filtered by that filter? Also is dropped count a subset of analyzed count or received count? I ask this because it appears received_count = analyzed + filtered so dropped_count doesn't really fit in Regards, Dheeraj
-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ---------------------------------------------------------------------------- -- ------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel End of Snort-devel Digest, Vol 113, Issue 14 ******************************************** ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SWF/PDF Decompression Simon Wesseldine (Dec 17)
- Re: SWF/PDF Decompression Carter Waxman (cwaxman) (Dec 17)
- <Possible follow-ups>
- Re: SWF/PDF Decompression Simon Wesseldine (Dec 18)