Snort mailing list archives

Re: snort-2.8.2.1 and udp alerts

From: Alex <linux () vfemail net>
Date: Wed, 25 Jun 2008 17:42:01 +0300

Stream5 sets both stream reassembly policy, and Flow. It enables you to
do a few things. Stream5 will allow you to reassemble  segmented traffic
and alert on its content. It will also allow that reassembly to be done
in a way that fits your environment (bsd, macos etc). A final feature of
Stream5 is that it enables the ability to alert on flow. So you can
write rules that use "flow: established, to_server" in your rules. Doing
so would restrict the rule to only alert on traffic from IP-port pairs
with an existing connection.


So, as i understand from your explanation, is better to set in snort.conf
preprocessor stream5_global: ... track_udp NO, in order to catch ANY UDP 
traffic? I don't understand how to set Stream5 processor even after i read 
README.stream5 to catch and alert excesive broadcasts requests.

I am very interested about broadcast traffic in general (not especially 
related to UDP). In this case, is enough to leave default snort settings 
unchanged or is REQUIRED to add some new rules?

Regards,
Alx

There are a few more advantages offered by stream5. For more details
check README.stream5 in the doc directory, or the snort manual.

Regards,
Keith

If you are only getting UDP events being raised by Snort, this means
one of two things.


No, i'm getting alerts on TCP, UDP, ICMP and so on...

If Snort isn't seeing TCP traffic,


it can see it.

so, what will be the difference regarding alerts or snort behaviour in
case when i'll enable UDP and ICMP in stream5 processor, like below:

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp yes, track_icmp yes

or what will be if i'll disable stream5 for all like below

preprocessor stream5_global: track_tcp no, \
track_udp no, track_icmp no

And finally, the main question:
- does snort detect/alert broadcast storms (layer 2 and layer 3 broadcast
storms) using my present rules/settings - i posted here all my snort.conf
file? If not, how can be snort configured to detect bcast storms in our
lan?

Regards,
Alx

On 24 Jun 2008, at 14:45, Alex wrote:

hello snort experts,

I am using snort-2.8.2.1 compiled with mysql support. Currently,
snort it logs
and produce UDP alerts even it seems that UDP support is disabled in
config
file.

Starting snort, i can see in terminal:
[root@ltm ~]# snort -c /etc/snort/snort.conf
...
Stream5 global config:
Track TCP sessions: ACTIVE
Max TCP sessions: 8192
Memcap (for reassembly packet storage): 8388608
Track UDP sessions: INACTIVE
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Track ICMP sessions: INACTIVE
...
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
...

In snort.conf i can see only 2 lines related to UDP:

preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no

so here, no doubt that UDP is DISABLED

and

preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }

If UDP support is disabled in snort.conf, which line match and
produce the
following UDP alerts? I'm not convinced that preprocessor sfportscan
will
generate it. Can anybody give me a hint?

MS-SQL ping attempt 2008-06-23 17:51:15 192.168.0.139:1052
255.255.255.255:1434 UDP

or

MISC UPnP malformed advertisement 2008-06-23 16:21:10
169.254.209.225:1900
239.255.255.250:1900 UDP

below, comes my entire snort.conf file:

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0
/
23,64.12.28.0
/
23,64.12.161.0
/
24,64.12.163.0
/
24,64.12.200.0
/
24,205.188.3.0
/
24,205.188.5.0
/
24,205.188.7.0
/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
dynamicpreprocessor directory /usr/lib/
snort-2.8.2.1_dynamicpreprocessor/
dynamicengine /usr/lib/snort-2.8.2.1_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 587 691 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
preprocessor ssl: noinspect_encrypted
output database: log, mysql, user=snort password=password dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules

Regards,
Alx

-----------------------------------------------------------------------
-- Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-2.8.2.1 and udp alerts Alex (Jun 24)
- Re: snort-2.8.2.1 and udp alerts Leon Ward (Jun 24)
  - Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
    - Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
    - Re: snort-2.8.2.1 and udp alerts Alex (Jun 25)
    - Re: snort-2.8.2.1 and udp alerts Keith (Jun 25)
    - Re: snort-2.8.2.1 and udp alerts Alex (Jun 26)