Snort mailing list archives

Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy


From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 21 May 2012 10:13:20 -0400

The eth1 data looks like it is much further into the packet than the eth0
data, so check your http_inspect flow depths.

On Mon, May 21, 2012 at 3:30 AM, Balasubramaniam Natarajan <
bala150985 () gmail com> wrote:

I also tried giving an additional option of "-P 0" while invoking snort
still no result.

On Mon, May 21, 2012 at 3:03 AM, Balasubramaniam Natarajan <
bala150985 () gmail com> wrote:

There was an error in my previous link, this is the correct one which
shows Test2 and Test3 results.

http://img207.imageshack.us/img207/4480/snortproxy.jpg


On Mon, May 21, 2012 at 12:58 AM, Balasubramaniam Natarajan <
bala150985 () gmail com> wrote:

Hi

I made some more test and I confirm that something is going wrong if I
have proxy on, on my clients snort is missing some alerts.

*BaseLine without Proxy
*When I did not use a webproxy for the client and when I accessed a
page where in username and password would be submitted over clear text
snort would throw up this alert
"ET POLICY Http Client Body contains pass= in cleartext".

*Test1: (Running Wireshark On client)
*I ran wireshark locally on the client and tried to access the same
page where in username and password would be submitted over clear text
snort did not throw the alert like previously though I am able to see my
username and password on the pcap

*Test2: (Running tcpdump On snort #tcpdump -vv -i eth0 -w eth0.pcap **-s
0**)
*I ran tcpdump on the eth0 interface of snort and tried to access the
same page where in username and password would be submitted over clear text
snort did not throw the alert though I am able to see my username and
password on the pcap

*Test3: (Running tcpdump On snort #tcpdump -vv -i eth1 -w eth1.pcap**-s 0
**)
*I ran tcpdump on the eth1 interface of snort and tried to access the
same page where in username and password would be submitted over clear text
snort did not throw the alert though I am able to see my username and
password on the pcap

Attaching screen shot of Test2 and Test3.

http://img207.imageshack.us/img207/4480/snortproxy.jpg

*Note:  *I had to add the additional switch of "-s 0" to tcpdump as I
was getting this error "[Packet size limited during capture: HTTP
truncated]".  I am not sure if snort is sharing the same fate of tcpdump
and I am not sure how to add the additional switch of "-s 0" to the running
instance of snort.

@Joel, thanks for showing the right group to address this question to
and I did not see any incorrect appearing on the pcap.


On Sun, May 20, 2012 at 8:56 PM, Joel Esler <jesler () sourcefire com>wrote:

Probably a better question for the Snort-users mailing list. But yes,
the ips may show up differently (for instance the source ip may be that of
the proxy).

Maybe some checksum errors in there?

Do a tcpdump on the interface with the -vv options and see if
"incorrect" shows up in the dump.

--
Joel Esler

On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <
bala150985 () gmail com> wrote:

Hi

Should there be any difference with Snort alerts if the internal client
are using a webproxy as oppose to those which are not ?   I am asking this
because I see remarkable difference between the two.


*Initial Configuration without Squid WebProxy
*
Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort
(eth0) ----> Internet

Snort was running on eth1 and it logged lots of alerts


*Present Configuration with Squid WebProxy*

Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1) Snort
(eth0) ------> Internet

Now Snort is running on eth0 interface and the number of alerts which
are logged are way too less.  I guess some alerts are somehow missed.

--
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through
Current!




--
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/




--
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/




--
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread: