Snort mailing list archives
Re: snort-2.8.2.1 and udp alerts
From: Alex <linux () vfemail net>
Date: Wed, 25 Jun 2008 17:42:01 +0300
Stream5 sets both stream reassembly policy, and Flow. It enables you to do a few things. Stream5 will allow you to reassemble segmented traffic and alert on its content. It will also allow that reassembly to be done in a way that fits your environment (bsd, macos etc). A final feature of Stream5 is that it enables the ability to alert on flow. So you can write rules that use "flow: established, to_server" in your rules. Doing so would restrict the rule to only alert on traffic from IP-port pairs with an existing connection.
So, as i understand from your explanation, is better to set in snort.conf preprocessor stream5_global: ... track_udp NO, in order to catch ANY UDP traffic? I don't understand how to set Stream5 processor even after i read README.stream5 to catch and alert excesive broadcasts requests. I am very interested about broadcast traffic in general (not especially related to UDP). In this case, is enough to leave default snort settings unchanged or is REQUIRED to add some new rules? Regards, Alx
There are a few more advantages offered by stream5. For more details check README.stream5 in the doc directory, or the snort manual. Regards, KeithIf you are only getting UDP events being raised by Snort, this means one of two things.No, i'm getting alerts on TCP, UDP, ICMP and so on...If Snort isn't seeing TCP traffic,it can see it. so, what will be the difference regarding alerts or snort behaviour in case when i'll enable UDP and ICMP in stream5 processor, like below: preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp yes or what will be if i'll disable stream5 for all like below preprocessor stream5_global: track_tcp no, \ track_udp no, track_icmp no And finally, the main question: - does snort detect/alert broadcast storms (layer 2 and layer 3 broadcast storms) using my present rules/settings - i posted here all my snort.conf file? If not, how can be snort configured to detect bcast storms in our lan? Regards, AlxOn 24 Jun 2008, at 14:45, Alex wrote:hello snort experts, I am using snort-2.8.2.1 compiled with mysql support. Currently, snort it logs and produce UDP alerts even it seems that UDP support is disabled in config file. Starting snort, i can see in terminal: [root@ltm ~]# snort -c /etc/snort/snort.conf ... Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 8192 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: INACTIVE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Track ICMP sessions: INACTIVE ... Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 ... In snort.conf i can see only 2 lines related to UDP: preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no so here, no doubt that UDP is DISABLED and preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } If UDP support is disabled in snort.conf, which line match and produce the following UDP alerts? I'm not convinced that preprocessor sfportscan will generate it. Can anybody give me a hint? MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052 255.255.255.255:1434 UDP or MISC UPnP malformed advertisement 2008-06-23 16:21:10 169.254.209.225:1900 239.255.255.250:1900 UDP below, comes my entire snort.conf file: var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET portvar HTTP_PORTS 80 portvar SHELLCODE_PORTS !80 portvar ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0 / 23,64.12.28.0 / 23,64.12.161.0 / 24,64.12.163.0 / 24,64.12.200.0 / 24,205.188.3.0 / 24,205.188.5.0 / 24,205.188.7.0 /24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules var PREPROC_RULE_PATH ../preproc_rules dynamicpreprocessor directory /usr/lib/ snort-2.8.2.1_dynamicpreprocessor/ dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy first, use_static_footprint_sizes preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 587 691 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } preprocessor dcerpc: \ autodetect \ max_frag_size 3000 \ memcap 100000 preprocessor dns: \ ports { 53 } \ enable_rdata_overflow preprocessor ssl: noinspect_encrypted output database: log, mysql, user=snort password=password dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules Regards, Alx ----------------------------------------------------------------------- -- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-2.8.2.1 and udp alerts Alex (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 26)
- Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)