Snort mailing list archives
Re: data from multiple sessions in one alert/packet
From: nikns <nikns () secure lv>
Date: Thu, 18 May 2006 00:52:47 +0300
I had identical issue. You are probably dropping packets. Short answer is: "There is a config parameter in Stream4 to help address that. On the stream4_reassemble line, add "zero_flushed_packets". This will cause Stream4 to zero out the memory of the rebuilt packet before copying in the new data. So, when packets are missing from the middle of the rebuilt packet, you'll get 0x00 in those bytes, rather than whatever was there from the previous rebuild." <c> Steven nikns On Wed, May 17, 2006 at 05:26:21PM -0400, Jon Hart wrote:
Hello, The weird behavior I'm seeing is what appears to be multiple HTTP requests (sometimes the src<->dest is the same, others not) in the same alert. Someone in #snort asked if I was behind a proxy server and, yes, the bulk of our inbound traffic is handled by Akamai. I can't find and specific examples, but I swear I saw alerts where some of the traffic came from Akamai and others did not. Whats is even weirder is, today, I saw and alert that contained portions of two distinct conversations, but one was headed inbound and the other was headed outbound. Aside from the general weirdness of this, I had just recently switched my $HOME_NET to 'any'. This is snort 2.4.4, running Red Hat Enterprise Linux ES release 4 (Nahant Update 1) with kernel 2.6.9-11.ELsmp (not my choice). My config is more or less stock: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var SSH_PORTS 22 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH ./rules config disable_decode_alerts config disable_tcpopt_experimental_alerts preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 \ no_alerts preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor xlink2state: ports { 25 691 } output database: log, mysql, user=snort \ password=ffffff dbname=snort host=localhost sensor_name=edge And snort is started as follows: snort -u snort -g snort -i bond0 -c /usr/local/stow/snort/etc/snort.conf -D -eyo (I have a pass rule to filter out a particularly false-positive prone URL, hence the -o) Any ideas? -jon ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- data from multiple sessions in one alert/packet Jon Hart (May 17)
- Re: data from multiple sessions in one alert/packet nikns (May 17)
- Re: data from multiple sessions in one alert/packet Jon Hart (May 18)
- Re: data from multiple sessions in one alert/packet Joel Esler (May 18)
- Alert Suppresion Fail kritikus Araklidas (May 18)
- Re: Alert Suppresion Fail Joel Esler (May 18)
- Mail Notification Fail kritikus Araklidas (May 22)
- Re: data from multiple sessions in one alert/packet Jon Hart (May 18)
- Re: data from multiple sessions in one alert/packet Joel Esler (May 18)
- Re: data from multiple sessions in one alert/packet Jon Hart (May 18)
- Re: data from multiple sessions in one alert/packet nikns (May 17)