Re: Can't alert on most

[Michael Wisniewski <wiz561 () gmail com>]

Thanks for the response.  I might try another version of Snort to see if
this fixes the problem.  My concern is that since it's my first and new
install of Snort and it's in a virtual environment, something strange is
going on with the packets because 99% of the time, it's something I'm doing
wrong and it's not the product thats the problem.

I ended up taking a tcpdump on the interface from the box I have snort
running on and then completing a nikto scan from an outside IP.  Snort
didn't identify much....  Basically, the following was found:

stream5: Data sent on stream after TCP Reset
http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
http_inspect: UNKNOWN METHOD
Snort Alert [119:33:1]
http_inspect: LONG HEADER

I even read the pcap into snort and found the same alerts.

I then discovered that virustotal has a handy little addition that you can
upload the pcap and it will do Snort analysis on the file and show you the
alerts.  When I uploaded the pcap to virus total, it lit up as expected
with the nikto scan.  Just a small sampling of the virustotal results from
Snort...

SERVER-WEBAPP SezHoo remote file include in SezHooTabsAndActions.php (Web
Application Attack)
 SERVER-IIS tilde character file name discovery attempt (Attempted
Information Leak)
 SERVER-WEBAPP basilix sendmail.inc access (Access to a Potentially
Vulnerable Web Application)
 SERVER-WEBAPP dcforum.cgi access (Attempted Information Leak)
 SERVER-WEBAPP mmstdod.cgi access (Attempted Information Leak)
 SERVER-WEBAPP whois_raw.cgi access (Attempted Information Leak)
 SERVER-WEBAPP webplus version access (Attempted Information Leak)
 SERVER-WEBAPP webplus directory traversal (Web Application Attack)
 SERVER-WEBAPP websendmail access (Attempted Information Leak)

I would expect that my local installation should flag on the above as well,
but it's not.

The tcp small segment sizes, I already "tuned" that so it's not an issue.
My point was that Snort is actually seeing some stuff, but is missing
almost everything important.  I'll attach two files below; me reading the
pcap in snort and my snort.conf file.  If somebody can suggest anything,
that would be great.


Reading pcap in snort: http://pastebin.com/Bf2MdN0d
snort.conf file: http://pastebin.com/frdW7njk
Virustotal alerts:
https://www.virustotal.com/en/file/0487d014c2964d439ad4f39db3d73945bee32cb10e02dad70a7c8df725d5511c/analysis/


Thanks in advanced again for any help and assistance.





On Tue, Mar 4, 2014 at 11:58 AM, Carlos G Mendioroz <tron () acm org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Waldo,
> it seems to me that Michael is more concerned about not receiving any
> port scan event than about receiving the small segments alert.
>
> I'm also seeing this (weird >) behaviour of one alert being produced
> and nothing else with 2.9.6 and "stock" (in my case snapshot #2960) rules.
>
> - -Carlos
>
> waldo kitty @ 04/03/2014 09:25 -0300 dixit:
> > On 3/3/2014 9:48 PM, Michael Wisniewski wrote:
> > > ...and there's some other alerts, but the TCP small segments are
> > > the ones that dominate the log.  I can do a nmap scan from
> > > offsite and all I see are the above alert; nothing about a
> > > portscan.
> > >
> > > Does anybody know why I'm seeing this?  In the conf file, I have
> > > pretty much all stock (except for the paths).  Is there something
> > > else that needs to be enabled in order to see the proper alerts?
> >
> > it really isn't about seeing "the proper alerts"... the small
> > segments alerts are proper alerts... the question is how do you
> > want to solve it... there are several ways... one way is to disable
> > the rule by commenting it out in the preprocessor rules file...
> > another way is to threshold the rule... but tuning your
> > snort.conf's stream5_tcp small_segments settings or removing the
> > small_segments settings portion of the config would probably be
> > better... IMO, the former is the preferred with the latter and
> > others being (extreme) last resort methods...
>
> - --
> Carlos G Mendioroz  <tron () acm org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlMWFDgACgkQ7qM4U9dTH3+s8ACfQ8FeT+ntU6DdQvv708MI+jhM
> s9cAoLh8uOAYnWfrkG+SRThzbMSmcYcy
> =vIJ4
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries.  Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!