Problems with snort-2.1.0

["Schmehl, Paul L" <pauls () utdallas edu>]

I upgraded to snort-2.1.0 last Friday and immediately began to have some
noticeable problems.  I'm posting this to see if I'm unique or if anyone
else has experienced similar things.

Details : FreeBSD 4.9 RELEASE, snort-2.1.0, mysql and acid.  Promiscuous
adapter on an edge device monitoring two DS3's.  Average inbound -
45MBps, average outbound - 10MBps.  Both HTTP_SERVERS and HTTP_PORTS are
defined in snort.conf.

1) I immediately began getting error messages saying that the "data"
table (in mysql) was full and could not be written to.  These ceased as
soon as I disabled the http_inspect preprocessor.

2) I enabled the perfmon preprocessor for the first time - this resulted
in filling up /var/log/messages *extremely* fast.  (Newsyslog was
turning over the messages log every *hour*.)  Is this normal?  (I've
since turned perfmon off.)  The amount of information in the messages
file was in the neigborhood of 2500 lines *per* reporting instance.  The
line in the snort.conf file was:
#preprocessor perfmonitor: console max file stats.snort flow events time
10 pktcnt 10000

The stats.snort file is 1.3MB.

3) The new http_inspect preprocessor (which replaced http_decode) was
pumping out alerts at a phenomenal rate.  In one hour I had over 30,000
alerts just from one portion of the preprocessor
(detect_anomalous_servers).  (I disabled it.)  Over the weekend, the
BARE BYTE UNICODE ENCODING alert was triggered over 2 million times!
The top 6 alerts I'm seeing are all from this preprocessor and account
for 98%! of all the alerts in the database.  (I've since completely
disabled http_inspect.)  Is anyone else seeing these levels of alerting
from this preprocessor?

Here's the config that I was using (all commented out now):

#preprocessor http_inspect: global \
#    iis_unicode_map unicode.map 1252

#preprocessor http_inspect_server: server default \
#    profile all \
#    ports { 80 443 8080 } \
#    flow_depth 300 \
#    oversize_dir_length 300

I read and reread the README.http_inspect doc, and I *thought* that I
understood how to use it, but I was not expecting the huge volume of
alerts that I got.  The first thing that I noticed is that the
detect_anomalous_servers flag triggered on *anything* that was web
traffic from non-webservers.  I would have *thought* that it would only
trigger if the *source port* was an http port *and* the source IP was
within $HOME_NET.  Did I misread the docs?  Or is the preprocessor
looking at any -> any?

I was also surprised to see alerts from bare_bytes,
non_rfc_defined_chars and many other flags that I had not specifically
enabled (or at least I *thought* that I hadn't enabled them.)

What am I missing?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users