Snort mailing list archives
Re: Can't alert on most
From: Michael Wisniewski <wiz561 () gmail com>
Date: Tue, 4 Mar 2014 13:36:49 -0600
Thanks for the response. I might try another version of Snort to see if this fixes the problem. My concern is that since it's my first and new install of Snort and it's in a virtual environment, something strange is going on with the packets because 99% of the time, it's something I'm doing wrong and it's not the product thats the problem. I ended up taking a tcpdump on the interface from the box I have snort running on and then completing a nikto scan from an outside IP. Snort didn't identify much.... Basically, the following was found: stream5: Data sent on stream after TCP Reset http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE http_inspect: UNKNOWN METHOD Snort Alert [119:33:1] http_inspect: LONG HEADER I even read the pcap into snort and found the same alerts. I then discovered that virustotal has a handy little addition that you can upload the pcap and it will do Snort analysis on the file and show you the alerts. When I uploaded the pcap to virus total, it lit up as expected with the nikto scan. Just a small sampling of the virustotal results from Snort... SERVER-WEBAPP SezHoo remote file include in SezHooTabsAndActions.php (Web Application Attack) SERVER-IIS tilde character file name discovery attempt (Attempted Information Leak) SERVER-WEBAPP basilix sendmail.inc access (Access to a Potentially Vulnerable Web Application) SERVER-WEBAPP dcforum.cgi access (Attempted Information Leak) SERVER-WEBAPP mmstdod.cgi access (Attempted Information Leak) SERVER-WEBAPP whois_raw.cgi access (Attempted Information Leak) SERVER-WEBAPP webplus version access (Attempted Information Leak) SERVER-WEBAPP webplus directory traversal (Web Application Attack) SERVER-WEBAPP websendmail access (Attempted Information Leak) I would expect that my local installation should flag on the above as well, but it's not. The tcp small segment sizes, I already "tuned" that so it's not an issue. My point was that Snort is actually seeing some stuff, but is missing almost everything important. I'll attach two files below; me reading the pcap in snort and my snort.conf file. If somebody can suggest anything, that would be great. Reading pcap in snort: http://pastebin.com/Bf2MdN0d snort.conf file: http://pastebin.com/frdW7njk Virustotal alerts: https://www.virustotal.com/en/file/0487d014c2964d439ad4f39db3d73945bee32cb10e02dad70a7c8df725d5511c/analysis/ Thanks in advanced again for any help and assistance. On Tue, Mar 4, 2014 at 11:58 AM, Carlos G Mendioroz <tron () acm org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Waldo, it seems to me that Michael is more concerned about not receiving any port scan event than about receiving the small segments alert. I'm also seeing this (weird >) behaviour of one alert being produced and nothing else with 2.9.6 and "stock" (in my case snapshot #2960) rules. - -Carlos waldo kitty @ 04/03/2014 09:25 -0300 dixit:On 3/3/2014 9:48 PM, Michael Wisniewski wrote:...and there's some other alerts, but the TCP small segments are the ones that dominate the log. I can do a nmap scan from offsite and all I see are the above alert; nothing about a portscan. Does anybody know why I'm seeing this? In the conf file, I have pretty much all stock (except for the paths). Is there something else that needs to be enabled in order to see the proper alerts?it really isn't about seeing "the proper alerts"... the small segments alerts are proper alerts... the question is how do you want to solve it... there are several ways... one way is to disable the rule by commenting it out in the preprocessor rules file... another way is to threshold the rule... but tuning your snort.conf's stream5_tcp small_segments settings or removing the small_segments settings portion of the config would probably be better... IMO, the former is the preferred with the latter and others being (extreme) last resort methods...- -- Carlos G Mendioroz <tron () acm org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMWFDgACgkQ7qM4U9dTH3+s8ACfQ8FeT+ntU6DdQvv708MI+jhM s9cAoLh8uOAYnWfrkG+SRThzbMSmcYcy =vIJ4 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can't alert on most Michael Wisniewski (Mar 03)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most Michael Wisniewski (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 04)
- Re: Can't alert on most Carlos G Mendioroz (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Doug Burks (Mar 05)
- Re: Can't alert on most Michael Wisniewski (Mar 05)
- Re: Can't alert on most Gierczak, Stan (Mar 28)
- Re: Can't alert on most waldo kitty (Mar 28)
- Re: Can't alert on most Carlos G Mendioroz (Mar 04)
- Re: Can't alert on most waldo kitty (Mar 05)
- Re: Can't alert on most waldo kitty (Mar 04)