Re: missing alerts: Snort does not inspect payload from the machine it's running on?

[Claus Regelmann <rgc () rgc1 inka de>]

I dove into the source code and eventually found a solution that work at least in 'my' environment:
Packet error are checked in function "Preprocess" (file decode.c).
This checking includes checksum error. If a packet comes from a local process, and is
captured before it goes on to the real HW, is there a valid checksum? It does not seem so!
I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch:
-- 8< ------------ >8 --
diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c
--- snort-2.9.8.2/src/detect.c  2016-03-18 14:54:31.000000000 +0100
+++ snort-2.9.8.2-cr/src/detect.c       2016-04-08 16:04:47.000000000 +0200
@@ -199,15 +199,14 @@
  #endif

      // If the packet has errors, we won't analyze it.
-    if ( p->error_flags )
+    if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors
      {
          // process any decoder alerts now that policy has been selected...
          DecodePolicySpecific(p);

          //actions are queued only for IDS case
          sfActionQueueExecAll(decoderActionQ);
-        DEBUG_WRAP(DebugMessage(DEBUG_DETECT,
-            "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags););
+        LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);

          if ( p->error_flags & PKT_ERR_BAD_TTL )
              pc.bad_ttl++;
-- 8< ------------ >8 --

Shouldn't DAQ revise this checksum problem before ?

--------------
Claus Regelmann


On 03/19/2016 12:15 AM, Claus Regelmann wrote:
> Hello,
>
> my snort runs on a small ATOM-based firewall between the internet router and the internal net.
>
> +------------- +                        +----------+
> | (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net
> +--------------+ ^                    ^ +----------+
>      192.168.178.1 +                    |192.168.178.240
>                                         +-- snort listen here in passive mode
>
> Test cases:
>
> 1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the 
> firewall.
> The result is OK, two alerts:
> --8< ------ >8--
>       ID       < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < 
> Layer 4 Proto >
> #0-(1-90832)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        
> 2016-03-18 03:22:19.993 192.168.178.240:40533   87.106.18.216:4483      TCP
> #1-(1-90830)  [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D)        
> 2016-03-18 03:17:02.652 10.1.1.5:53410  87.106.18.216:4483      TCP
> --8< ------ >8--
>
> 2.) The router hosts a DNS-forwarder.
> I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host.
> But now only the query from the internal host alerts:
> --8< ------ >8--
>        ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < 
> Layer 4 Proto >
> #0-(1-90896)  [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org  2016-03-18 22:44:06.68  10.1.1.5:54346  
> 192.168.178.1:53        UDP
> --8< ------ >8--
>
> 3.) I wrote a small test rule:
>       'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; 
> classtype:trojan-activity; sid:1000007; rev:1;)'.
> I run 'wget http://...../abcdef01/zzz&apos; on the firewall and the internal host.
> Again, only the internal case alerts:
> --8< ------ >8--
>        ID      < Signature >           < Timestamp >           < Source Address >      < Dest. Address >       < 
> Layer 4 Proto >
> #0-(1-90897)  [snort] RgC: TEST pattern found         2016-03-18 23:06:51.482         10.1.1.5:37733  
> 193.99.144.85:80        TCP
> --8< ------ >8--
>
> The 1st case only inspects header informations.
> The last two cases need the payload.
>
> * Has anybody an idea, what's going wrong here ??? *
>
> I run snort version 2.9.7.6, self-compiled from sources (LFS).
> My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]'
>
> Thank You
> Claus Regelmann
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!