Snort mailing list archives
Snort Alert description
From: "Michael Pickert" <Michael.Pickert () semikron com>
Date: Fri, 11 Jan 2002 09:56:02 +0100
HI, is there a place where I can find a complete description of all snort alerts? I running snort since 6 months or so, but its still often hard to find out what an alert means, because I`m in business for just a year. every help would me great! thanks Michael Pickert IT SEMIKRON m.pickert () semikron com
snort-users-request () lists sourceforge net 10.01.02 22:56:05 >>>
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Newbie question Snort and Demarc (SkatFiend () aol com) 2. Snort Packet Stats (Matt Jonkman) 3. Re: Garbage in snort logs (Russell Fulton) 4. Re: Can I 'nice' snort process? (Frank) 5. Re: 158 Meg snort? (Frank) 6. Re: Snort core dumped (fwd) (Martin Roesch) 7. immortal_28 () hotmail com (immortal_28 () hotmail com) 8. Re: Newbie question Snort and Demarc (Frank) 9. RE: Can I 'nice' snort process? (Saad Kadhi) 10. Re: Snort Packet Stats (Martin Roesch) 11. Re: Garbage in snort logs (Frank) 12. Re: Snort Packet Stats (Ashley Thomas) 13. Re: Re: Garbage in snort logs (Martin Roesch) --__--__-- Message: 1 From: SkatFiend () aol com Date: Thu, 10 Jan 2002 15:14:26 EST To: snort-users () lists sourceforge net Subject: [Snort-users] Newbie question Snort and Demarc --part1_12e.a9f292a.296f5022_boundary Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Hi everyone, I just installed Demarc and mysql and a Win2K box the other day. Everything seems to be fine except for one major item. When snort starts it is not loading any rule sets. I used the snort.conf file from another box that has Snort + ACID with minor adjustments. Each time I start Demarc it appears to overwrite and rems out the "include" statements for the rules files. So snort starts correctly, parses the snort.conf file correctly but rules are read. Can anyone please tell me how this works????? Thanks in advance. Cliff --part1_12e.a9f292a.296f5022_boundary Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: 7bit <HTML><FONT FACE=arial,helvetica><FONT SIZE=2 FAMILY="SANSSERIF" FACE="Arial" LANG="0">Hi everyone,<BR> <BR> I just installed Demarc and mysql and a Win2K box the other day. Everything seems to be fine except for one major item. When snort starts it is not loading any rule sets. I used the snort.conf file from another box that has Snort + ACID with minor adjustments. Each time I start Demarc it appears to overwrite and rems out the "include" statements for the rules files. So snort starts correctly, parses the snort.conf file correctly but rules are read. Can anyone please tell me how this works?????<BR> <BR> Thanks in advance.<BR> <BR> Cliff</FONT></HTML> --part1_12e.a9f292a.296f5022_boundary-- --__--__-- Message: 2 From: "Matt Jonkman" <matt () jonkmans com> To: <snort-users () lists sourceforge net> Date: Thu, 10 Jan 2002 14:39:22 -0600 Subject: [Snort-users] Snort Packet Stats We're working on our own homegrown snort back-end and want to really concentrate on having detailed live and trending stats for each sensor. Is there a way to get the stats that snort dumps when you ^C a non-daemon instance when you are running as a daemon? If not is there another source of the running stats we can grab and trend? Thanks Matt I.E these stats: ============================================================================ === Snort analyzed 4444 out of 6034 packets, dropping 1590(26.351%) packets Breakdown by protocol: Action Stats: TCP: 2494 (41.332%) ALERTS: 0 UDP: 108 (1.790%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 102 (1.690%) DISCARD: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 ============================================================================ === Snort received signal 2, exiting --__--__-- Message: 3 From: Russell Fulton <R.FULTON () auckland ac nz> To: snort-users () lists sourceforge net Date: 11 Jan 2002 09:43:58 +1300 Subject: [Snort-users] Re: Garbage in snort logs
From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso () it su se> Hello, I experience the same problems as Russell from time to time. I was running 1.8.3 (release version), but unfortunately build 89 did
not
solve all problems. The ethernet headers now seem to be correct, but
the
payload is still messed up.
[ snip ]
This is just a test machine so I'll try to experiment a bit. Any
clever
suggestions about what may be worth trying? To me it seems like its always those unicode requests that mess
things up.
Could there also be some problem with http_decode?
Agreed.
(did build 89 solve your problems, Russell?)
no, my experience mirrors yours. I please I no longer alone I was starting to think I must have been imagining these problems ;-) Here is some mail I sent to Marty this morning which has some other ideas on this problem... Hi Marty, I have just been corresponding with Brennan Bakke <bbakke () solcon nl> who reported finding bits of snort rules in logged ICMP packets (on the security focus incidents list). I told him about the build 89 fixes and suggested that these might fix his problems. Someone else pointed out (quite rightly) that the ICMP packets should not go anywhere near the stream4 preprocessor! So I wonder if there is a bug somewhere much lower down in the stack which is mangling some lenght and causing both these problems. In my case turning off he stream4 stuff made makes these alerts go away but that does *not* necessarily imply that it is the stream4 stuff that is causing the problem in the first place. Cheers, Russell. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand --__--__-- Message: 4 Date: Thu, 10 Jan 2002 12:35:26 -0800 (PST) From: Frank <la () pasadena net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Can I 'nice' snort process? Have you set your HOME_NET and EXTERNAL_NET variables? If not this is a likley source of all the CPU use. Other strategies: 1. Remove rules that don't apply to your systems. If Windows, remove UNIX signatures, etc. 2. Redure the rules that have "any" port number or destination. 3. Reduce the ICMP rules. Do your really need to log all the pings? If so, do this on your firewall. Take a look at the preprocessors, read the docs and make sure you need all of them enabled. I had issues with snort's ram usage growing. I disabled: preprocessor defrag preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 And enabled: preprocessor frag2: 16777216, 10 preprocessor stream4: timeout 10, maxbytes 16384 And the problem was solved. Frank On Thu, 10 Jan 2002, Tran, John wrote:
I'm running snort on one of my web servers as a local IDS (don't ask
me why,
let's just go along w/ it for now..) and it takes up massive amounts
of CPU
(40%), which can be expected considering it's a large amount of
traffic. It
was suggested to me to run 'nice' on the process to throttle it's CPU
usage,
but I'm pretty sure throttling snort will cause it to drop a lot of
packets.
Is this true?
--__--__-- Message: 5 Date: Thu, 10 Jan 2002 12:36:26 -0800 (PST) From: Frank <la () pasadena net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] 158 Meg snort? I found the problem. Wrong preprocessors selected: I disabled: preprocessor defrag preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384 And enabled: preprocessor frag2: 16777216, 10 preprocessor stream4: timeout 10, maxbytes 16384 And the problem was solved. Frank On Wed, 9 Jan 2002, Frank wrote:
I've run snort for two days on a very busy sensor. It now shows 158
Meg
size. When I restart it's 14 meg. System info: Snort compiled with mysql and snmp support. snort -V -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) Linux 2.4.7-10smp #1 SMP Thu Sep 6 17:09:31 EDT 2001 i686 unknown
--__--__-- Message: 6 Date: Thu, 10 Jan 2002 15:49:44 -0500 From: Martin Roesch <roesch () sourcefire com> To: Roman Danyliw <rdd () cert org> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort core dumped (fwd) Saw it, loved the format of the report *and* the forum, truly. Somehow a patch that we did a while back got messed up and migrated into the 1.8.3 distro (much like ntohs() being added and removed from the ICMP ID's and sequence numbers about once every 3 months or so. Anyway, here's the patch: --- basesnort/decode.h Thu Jan 10 15:47:48 2002 +++ snort/decode.h Thu Jan 10 12:15:33 2002 @@ -105,7 +105,7 @@ #define IP_HEADER_LEN 20 #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 -#define ICMP_HEADER_LEN 8 +#define ICMP_HEADER_LEN 4 #define TH_FIN 0x01 #define TH_SYN 0x02 -Marty Roman Danyliw wrote:
---------- Forwarded Message ---------- Date: Thursday, January 10, 2002 1:26 PM +0800 From: Sinbad <securitymail () 263 net> To: bugtraq () securityfocus com Subject: Snort core dumped Run snort: # snort -dev host 192.168.0.3 and 192.168.0.1 Ping 192.168.0.1 from 192.168.0.3 within one data in payload: # ping -c 1 -s 1 192.168.0.1 Snort's output showed below: -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76
type:0x800
len:0x2B 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0
IpLen:20
DgmLen:29 DF Type:8 Code:0 ID:9435 Seq:0 ECHO Segmentation fault (core dumped) hmm... core dumped! while with the '-X' option works well. :) Have you ever seen this happened? Regards, Sinbad ---------- End Forwarded Message ---------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 7 From: "immortal_28 () hotmail com" <immortal_28 () hotmail com> To: <Snort-users () lists sourceforge net> Date: Thu, 10 Jan 2002 19:10:31 -0200 Subject: [Snort-users] immortal_28 () hotmail com --__--__-- Message: 8 Date: Thu, 10 Jan 2002 12:56:42 -0800 (PST) From: Frank <la () pasadena net> To: SkatFiend () aol com cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Newbie question Snort and Demarc You need to let Demarc manage the rules. If you edit the snort.conf outside of Demarc it will overwrite it. Frank On Thu, 10 Jan 2002 SkatFiend () aol com wrote:
I just installed Demarc and mysql and a Win2K box the other day.
Everything
seems to be fine except for one major item. When snort starts it is
not
loading any rule sets. I used the snort.conf file from another box
that has --__--__-- Message: 9 Subject: RE: [Snort-users] Can I 'nice' snort process? From: Saad Kadhi <bsdguy () docisland org> To: Tom Sevy <tsevy () epx com> Cc: Snort Users <snort-users () lists sourceforge net> Date: 10 Jan 2002 22:08:49 +0100 On Thu, 2002-01-10 at 20:19, Tom Sevy wrote:
Can you refer me to any guidelines for tuning the Freebsd kernel in
ways
that would help Snort's performance?
well first thing you should really consider is tune the snort configuration itself. tweak logging since file i/o cost some cpu. then enable softupdates on your partitions.it'll speed up some file system operations a lot. though softupdates is pretty stable, I'd advise you to backup the box first thing before enabling it. Next, consider stripping down the kernel to the minimum. The smaller the kernel is, the faster is your box. Then get a look at: http://www.daemonnews.org/200108/benchmark.html http://www.freebsd.org/handbook/ if you are running short of mbufs, rise NMBCLUSTERS & the like (for the VM). For a VERY GOOD description of all the tweaking/tuning options a FreeBSD kernel has & given you have a copy of the source tree, look @: /usr/src/sys/i386/conf/LINT. each option is explained there. As to what pertains to snort itself, ask Marty&crew what snort needs to run faster. it is beyond my knowledge (though I suspect fs i/o, fds, ...etc. the usual suspects!). HTH
-----Original Message----- From: Saad Kadhi [mailto:bsdguy () docisland org] Sent: Thursday, January 10, 2002 1:58 PM To: Tran, John Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Can I 'nice' snort process? On Thu, 2002-01-10 at 19:03, Tran, John wrote:I'm running snort on one of my web servers as a local IDS (don't
ask me
why,let's just go along w/ it for now..) and it takes up massive
amounts of
CPU(40%), which can be expected considering it's a large amount of
traffic.
Itwas suggested to me to run 'nice' on the process to throttle it's
CPU
usage,but I'm pretty sure throttling snort will cause it to drop a lot
of
packets.Is this true?yep at least to my field knowledge. But instead of nice-ing, you
could
log less stuff, tune up your kernel, etc... regards. -- /Saad -- [bsdguy () docisland org] [pgp keyid: 35592A6D http://pgp.mit.edu] # buy a geek-in-a-can, point nozzle at technical problem and spray # if desesperate degauss your screen. it might solve your pb as well _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- /Saad -- [bsdguy () docisland org] [pgp keyid: 35592A6D http://pgp.mit.edu] # buy a geek-in-a-can, point nozzle at technical problem and spray # if desesperate degauss your screen. it might solve your pb as well --__--__-- Message: 10 Date: Thu, 10 Jan 2002 16:40:44 -0500 From: Martin Roesch <roesch () sourcefire com> To: Matt Jonkman <matt () jonkmans com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Packet Stats Send the snort PID a SIGUSR1 and it'll dump stats to the console (console mode) or syslog (daemon mode). -Marty Matt Jonkman wrote:
We're working on our own homegrown snort back-end and want to really concentrate on having detailed live and trending stats for each
sensor.
Is there a way to get the stats that snort dumps when you ^C a
non-daemon
instance when you are running as a daemon? If not is there another
source of
the running stats we can grab and trend? Thanks Matt I.E these stats:
============================================================================
=== Snort analyzed 4444 out of 6034 packets, dropping 1590(26.351%)
packets
Breakdown by protocol: Action Stats: TCP: 2494 (41.332%) ALERTS: 0 UDP: 108 (1.790%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 102 (1.690%) DISCARD: 0 (0.000%)
============================================================================
=== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0
============================================================================
=== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0
============================================================================
=== Snort received signal 2, exiting _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 11 Date: Thu, 10 Jan 2002 13:32:37 -0800 (PST) From: Frank <la () pasadena net> To: snort-users () lists sourceforge net cc: bbakke () solcon nl Subject: [Snort-users] Re: Garbage in snort logs I'm having the same problem with ICMP in 1.8.3: A snippet: R)d..>e.n.f...g.P.g...h.2.i...j...k...l...m...n..qo...p .Zq..fr .:s.iFt ..u../v ..v.h.x }.x.J.y _.z.,.{.{.|...}.].~... ................................................................................ ....................................................................PDT.PST.PWT.PP T.................$.............PST.....(.......PWT.............PPT.....H.......X .......http_decode.....h...@..........$ream2......... ....}..0.......spade...........@...l...X.......spade-homenet...........h...`...x... ....spade-stats.. On 11 Jan 2002, Russell Fulton wrote:
Here is some mail I sent to Marty this morning which has some other ideas on this problem... Hi Marty, I have just been corresponding with Brennan Bakke <bbakke () solcon nl> who reported finding bits of snort rules in logged ICMP packets (on
the
security focus incidents list). I told him about the build 89 fixes
and
suggested that these might fix his problems. Someone else pointed
out
(quite rightly) that the ICMP packets should not go anywhere near the
stream4 preprocessor!
--__--__-- Message: 12 Date: Thu, 10 Jan 2002 16:53:05 -0500 (EST) From: Ashley Thomas <athomas () unity ncsu edu> To: Matt Jonkman <matt () jonkmans com> cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort Packet Stats It is slightly out of sync but may i ask you this.
From the stats that you've attached Snort seems to be dropping a lot
of packets ? Is the traffic volume very high ? or is it something that i've overlooked. thanks ashley On Thu, 10 Jan 2002, Matt Jonkman wrote:
We're working on our own homegrown snort back-end and want to really concentrate on having detailed live and trending stats for each
sensor.
Is there a way to get the stats that snort dumps when you ^C a
non-daemon
instance when you are running as a daemon? If not is there another
source of
the running stats we can grab and trend? Thanks Matt I.E these stats:
============================================================================
=== Snort analyzed 4444 out of 6034 packets, dropping 1590(26.351%)
packets
Breakdown by protocol: Action Stats: TCP: 2494 (41.332%) ALERTS: 0 UDP: 108 (1.790%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 102 (1.690%) DISCARD: 0 (0.000%)
============================================================================
=== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0
============================================================================
=== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0
============================================================================
=== Snort received signal 2, exiting _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 13 Date: Thu, 10 Jan 2002 16:53:42 -0500 From: Martin Roesch <roesch () sourcefire com> To: Russell Fulton <R.FULTON () auckland ac nz> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Re: Garbage in snort logs The stream_size calculation in stream4 is what's causing the problem, I'm working on it as we speak. I'll be checking in a new build in a bit, I'll let you guys know when it's ready. -Marty Russell Fulton wrote:
From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso () it su se> Hello, I experience the same problems as Russell from time to time. I was running 1.8.3 (release version), but unfortunately build 89
did not
solve all problems. The ethernet headers now seem to be correct,
but the
payload is still messed up.[ snip ]This is just a test machine so I'll try to experiment a bit. Any
clever
suggestions about what may be worth trying? To me it seems like its always those unicode requests that mess
things up.
Could there also be some problem with http_decode?Agreed.(did build 89 solve your problems, Russell?)no, my experience mirrors yours. I please I no longer alone I was starting to think I must have been imagining these problems ;-) Here is some mail I sent to Marty this morning which has some other ideas on this problem... Hi Marty, I have just been corresponding with Brennan Bakke <bbakke () solcon nl> who reported finding bits of snort rules in logged ICMP packets (on
the
security focus incidents list). I told him about the build 89 fixes
and
suggested that these might fix his problems. Someone else pointed
out
(quite rightly) that the ICMP packets should not go anywhere near
the
stream4 preprocessor! So I wonder if there is a bug somewhere much lower down in the stack which is mangling some lenght and causing both these problems. In my case turning off he stream4 stuff made makes these alerts go
away
but that does *not* necessarily imply that it is the stream4 stuff
that
is causing the problem in the first place. Cheers, Russell. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Alert description Michael Pickert (Jan 11)
- Re: Snort Alert description Roberto Suarez Soto (Jan 11)