Re: Something is wrong with snort logging?

[fatema bannatwala <fatema.bannatwala () gmail com>]

Hi YM,

Thanks for some pointers.
I think it isn't a size limitation because the alert that had "clntnetid="
was about 20% longer than the one I mentioned in this email.
The logs are getting logged in their native unified2 format, and then
barnyard pushes it to a postgres DB where the payload is stored in hex.
Then we have a script that queries the snort DB and prints out the
information in text (i.e converts the hex payload into text) and that's how
the alert looks like after querying the DB (the one I used in this email.
replacing "\n" with '::~~')

I didn't change anything for the HTTP preprocessor, and been using it with
all the default settings:

http_processor :
# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY
POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE
TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND
BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST
RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
    oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    max_spaces 200 \
    small_chunk_length { 10 5 } \
    ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801
808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301
2381 2578 2809 2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117
5250 5600 5814 6080 6173 6988 7000 7001 7005 7071 7144 7145 75
10 7770 7777 7778 7779 8000 8001 8008 8014 8015 8020 8028 8040 8080 8081
8082 8085 8088 8090 8118 8123 8180 8181 8182 8222 8243 8280 8300
 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080
9090 9091 9111 9290 9443 9447 9710 9788 9999 10000 11371 1260
1 13014 15489 19980 29991 33300 34412 34443 34444 40007 41080 44449 50000
50002 51423 53331 55252 55555 56712 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    normalize_utf \
    unlimited_decompress \
    normalize_javascript \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    utf_8 no \
    u_encode yes \
    webroot no

On Tue, Nov 8, 2016 at 4:28 AM, Y M <snort () outlook com> wrote:

> A quick look at this it could be a number of things. Your rule does not
> specify where in the payload/HTTP request to look for the content
> "clntnetid=", so the HTTP body could be a few bytes or a large number of
> bytes. Snort will usually capture 3-5 (maybe?) packets that triggered the
> rule. The HTTP body may have few bytes that fit into these 3-5 packets or
> they are further down the HTTP stream. It maybe (again) similar to the
> log_uri buffer length where in some occeasions get the uri logged and in
> others it won't due lengthy URIs.
>
>
> - Are you logging in binary format (unified2)? How doe the data look
> there? Your log looks like it is in Full format.
>
> - What are the configurations of your http_processor?
>
>
> While this response more guesses than answers, i hope it puts you in the
> right direction.
>
>
> YM
>
>
> ------------------------------
> *From:* fatema bannatwala <fatema.bannatwala () gmail com>
> *Sent:* Monday, November 7, 2016 9:45:53 PM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Something is wrong with snort logging?
>
> Hi,
>
> I have a snort rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
> Successful Generic Phish 2016-09-23"; flow:to_server,established;
> content:"POST"; http_method; content:".php"; http_uri;
> content:"clntnetid="; depth:10; fast_pattern; http_client_body;
> content:"&pword="; distance:0; classtype:trojan-activity; sid:10001030;
> rev:1;)
>
> The following event shouldn't trigger without a "clntnetid" in the string
> so it
> looks like some data isn't getting logged into the snort tables:
>
> [1:10001030:1] Custom Likely Successful Generic Phish 2016-09-23
> 2016-11-07 04:26:06.103000-05:00 1.2.3.4:54862
> <http://128.4.132.252:54862/> -> 185.8.63.111:80 <http://185.8.63.111/>
> TCP: Data Triggering Snort Rule: POST /wp-admin/css/wep-et.php
> HTTP/1.1::~~Host: www.anjo.lv::~~Content-Type:
> application/x-www-form-urlencoded::~~Origin: null::~~Content-Length:
> 143::~~Connection: keep-alive::~~Accept: text/h
> tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8::~~User-Agent:
> Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X)
> AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70
> Safari/600.1.4::~~Accept-Language:
>  en-us::~~DNT: 1::~~Accept-Encoding: gzip, deflate::~~::~~
>
> Other event that triggered this alert had "clntnetid" in the data string.
> Not sure if the events that are triggering this alert are having that
> string in data and snort is not logging it in database, or something is not
> correct with the rule that is causing it to trigger for the events NOT
> having that particular string in the data.
>
> Snort version - 2.9.8.3
> barnyard version - 2-1.9
> pulledpork - 0.7.0
>
> Did anyone knows what might be going on?
>
> Thanks,
> Fatema.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!