Snort mailing list archives
Problems with snort-2.1.0
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 12 Jan 2004 15:42:29 -0600
I upgraded to snort-2.1.0 last Friday and immediately began to have some noticeable problems. I'm posting this to see if I'm unique or if anyone else has experienced similar things. Details : FreeBSD 4.9 RELEASE, snort-2.1.0, mysql and acid. Promiscuous adapter on an edge device monitoring two DS3's. Average inbound - 45MBps, average outbound - 10MBps. Both HTTP_SERVERS and HTTP_PORTS are defined in snort.conf. 1) I immediately began getting error messages saying that the "data" table (in mysql) was full and could not be written to. These ceased as soon as I disabled the http_inspect preprocessor. 2) I enabled the perfmon preprocessor for the first time - this resulted in filling up /var/log/messages *extremely* fast. (Newsyslog was turning over the messages log every *hour*.) Is this normal? (I've since turned perfmon off.) The amount of information in the messages file was in the neigborhood of 2500 lines *per* reporting instance. The line in the snort.conf file was: #preprocessor perfmonitor: console max file stats.snort flow events time 10 pktcnt 10000 The stats.snort file is 1.3MB. 3) The new http_inspect preprocessor (which replaced http_decode) was pumping out alerts at a phenomenal rate. In one hour I had over 30,000 alerts just from one portion of the preprocessor (detect_anomalous_servers). (I disabled it.) Over the weekend, the BARE BYTE UNICODE ENCODING alert was triggered over 2 million times! The top 6 alerts I'm seeing are all from this preprocessor and account for 98%! of all the alerts in the database. (I've since completely disabled http_inspect.) Is anyone else seeing these levels of alerting from this preprocessor? Here's the config that I was using (all commented out now): #preprocessor http_inspect: global \ # iis_unicode_map unicode.map 1252 #preprocessor http_inspect_server: server default \ # profile all \ # ports { 80 443 8080 } \ # flow_depth 300 \ # oversize_dir_length 300 I read and reread the README.http_inspect doc, and I *thought* that I understood how to use it, but I was not expecting the huge volume of alerts that I got. The first thing that I noticed is that the detect_anomalous_servers flag triggered on *anything* that was web traffic from non-webservers. I would have *thought* that it would only trigger if the *source port* was an http port *and* the source IP was within $HOME_NET. Did I misread the docs? Or is the preprocessor looking at any -> any? I was also surprised to see alerts from bare_bytes, non_rfc_defined_chars and many other flags that I had not specifically enabled (or at least I *thought* that I hadn't enabled them.) What am I missing? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with snort-2.1.0 Schmehl, Paul L (Jan 12)
- <Possible follow-ups>
- RE: Problems with snort-2.1.0 Daniel J. Roelker (Jan 14)
- RE: Problems with snort-2.1.0 Andreas Östling (Jan 14)
- RE: Problems with snort-2.1.0 Daniel J. Roelker (Jan 15)
- Latest Snort 2.1.x on Solaris 8, Can anyone confirm please? Snortty (Mar 19)
- RE: Problems with snort-2.1.0 Andreas Östling (Jan 14)
- RE: Problems with snort-2.1.0 Schmehl, Paul L (Jan 14)
- RE: Problems with snort-2.1.0 DM (Jan 14)