Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: why UDP disc acquire?

From: Andrey Kiryukhin <andrei_1980 () mail ru>
Date: Sat, 25 Jun 2016 12:01:58 +0300
Why you think that udp packet malformed? Tools like wireshark, tcpdump
and tcpreplay handle it correctly.  This packets have only wrong
checksum, but i disable checksum control in Snort by using option "-k
none".



24.06.2016 19:05, Al Lewis (allewi) пишет:


It looks like snort is discarding them because they are all malformed.

*Albert Lewis*

QA SNORT/Sourcefire

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email: allewi () cisco com <mailto:allewi () cisco com> 



From: Andrei_1980 <andrei_1980 () mail ru <mailto:andrei_1980 () mail ru>>
Date: Friday, June 24, 2016 at 11:28 AM
To: allewi <allewi () cisco com <mailto:allewi () cisco com>>, 'snort-users'
<snort-users () lists sourceforge net
<mailto:snort-users () lists sourceforge net>>
Subject: Re: [Snort-users] why UDP disc acquire?

hmm, strange. I,m attach pcap to first message. Ok reatach to this
message.

On 24.06.2016 18:22, Al Lewis (allewi) wrote:

Hello,

Can you provide us with the pcap or a sample of it?


*Albert Lewis*

QA SNORT/Sourcefire

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046 

Phone: (office) 443.430.7112

Email: allewi () cisco com 



From: Andrei_1980 <andrei_1980 () mail ru>
Date: Friday, June 24, 2016 at 11:06 AM
To: 'snort-users' <snort-users () lists sourceforge net>
Subject: [Snort-users] why UDP disc acquire?

Hi all. I use snort 2.9.8.2 A have some pcap file for old attack (see
attach) .  It contain only udp packets.
I wrote test rule: 

alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
attempted-dos; sid:1000001; rev:1;)

and run snort:

snort  -c ./etc/snort.conf -A console -K none  -k none  -r
./pcaps/DOS_Nbisakmp.pcap

and get no alerts. In output stats i have: 

...........
Packet I/O Totals:
   Received:          100
   Analyzed:          100 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
.....................

Breakdown by protocol (includes rebuilt packets):
        Eth:          100 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          100 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:          100 (100.000%)
...................
* UDP Disc:          100 (100.000%)*
  ICMP Disc:            0 (  0.000%)
All Discard:          100 (100.000%)

(full output and snort.conf see in attach)


If i change rule  (udp to ip)  :

alert *ip* any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
attempted-dos; sid:1000001; rev:1;)
all packets generate alerts. 


So, why UDP packets in sample pcap discarded if i use udp protocol in
alert?





------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: