Snort mailing list archives

Re: flow:established still broken in 2.9.0.5?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 30 Jun 2011 08:57:55 +1200

On 29/06/11 22:47, Joel Esler wrote:


Are you dropping packets?  I am wondering that, because maybe Snort
tagged this as a midstream pickup or something.

Nope. snort is running on the proxy server itself, eth0 shows no errors,
and doing a "kill -USR1" shows

Packet I/O Totals:
:    Received:    661036928
:    Analyzed:    661016939 ( 99.997%)
:    Dropped:        19989 (  0.003%)
:    Filtered:            0 (  0.000%)
:    Outstanding:        19989 (  0.003%)
:    Injected:            0


(this is snort-2.9.0.5 under CentOS-5.6 with "pcap DAQ configured to
passive")

Do you have a pcap?

I have a pcap of the single packet that triggered the event - but not
the first packet of the TCP stream - so I don't think it means much. As
it's HTTPS, I'll attach it


As a rule writing note, "isset" flowbit checks generally should come
before content.  I have no idea what this rule does though, but I'd
want the flowbit check before the content in this case, as it's only a
two byte match.

That's an EmergingThreat rule - but that shouldn't matter. snort
shouldn't have matched on a "depth:2" half-way through a tcp stream?

The Big Question is: what does snort do when it "starts" in the middle
of a tcp stream? Does it ignore all "flow" related rules, or does it
(erroneously IMO) treat the first packet it sees as the first packet of
the stream? (your question about packet loss makes me think that is what
is happening?)

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Attachment: base_packet_195-47333.pcap
Description:

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

Current thread:

FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 09)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)
  - Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
    - flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Jason Haar (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Matthew Jonkman (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? Russ Combs (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
    - Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 30)