Snort mailing list archives
Re: Snort-devel Digest, Vol 104, Issue 18
From: Muhammad Ridwan Zalbina <zalbinaridwan () gmail com>
Date: Tue, 31 Mar 2015 21:19:58 +0700
Hello, dear snort developers and users . I would like to know how to activate http inspect preprocessor on snort ? and where we place our rules ? 2015-03-31 17:23 GMT+07:00 <snort-devel-request () lists sourceforge net>:
Send Snort-devel mailing list submissions to snort-devel () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-devel or, via email, send a message with subject or body 'help' to snort-devel-request () lists sourceforge net You can reach the person managing the list at snort-devel-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-devel digest..." Today's Topics: 1. Re: Stream5 issue (Emiliano Fausto) 2. Re: Stream5 issue (Arun Koshal) ---------------------------------------------------------------------- Message: 1 Date: Mon, 30 Mar 2015 10:35:05 -0300 From: Emiliano Fausto <emiliano.fausto () gmail com> Subject: Re: [Snort-devel] Stream5 issue To: Arun Koshal <akoshal04 () gmail com> Cc: "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge net> Message-ID: < CAD2H3x-bL8w0VN94k48_0_v8RQ16Vox3yRCQ78YCxefaWfvcCg () mail gmail com> Content-Type: text/plain; charset="utf-8" Hello Arun, I've found more information about your second issue, maybe these articles help. Link: https://wiki.wireshark.org/Development/LibpcapFileFormat It seems that you'll want to set the snaplen to the maximum size possible: "*A captured packet in a capture file does not necessarily contain all the data in the packet as it appeared on the network; the capture file might contain at most the first N bytes of each packet, for some value of N. The value of N, in such a capture, is called the "snapshot length" or "snaplen" of the capture. N might be a value larger than the largest possible packet, to ensure that no packet in the capture is "sliced" short; a value of 65535 will typically be used in this case.*" Link: http://www.sans.org/reading-room/whitepapers/detection/analysis-snort-data-acquisition-modules-34027 It says: "*Snort developers recommend setting the snap length to the highest possible value since fragmented packets are defragmented before being moved to the QUEUE (Snort Team, daq-0.6.2 README):* * config snaplen: 65535* *Chris Murphy, chrismrph0 () gmail com <chrismrph0 () gmail com>* *With this maximum value, Snort will be sure to see the entire packet.*" Link: http://taosecurity.blogspot.com.ar/2005/04/using-snorts-k-option-i-was-looking.html In this issue, the problem was caused because of the snap-len and the "k" option, which I see you have already setted, so it just validates you should leave it in -k none, but probably won't solve your second issue. In my opinion then, I think you are doing good in increasing the snaplen size, since it's even necessary in most cases. About the first problem I didn't try it, so I can't talk about it by now. If I find something I'll let you know. Hope it helps! Emiliano. On Mon, Mar 30, 2015 at 6:53 AM, Arun Koshal <akoshal04 () gmail com> wrote:Hi Emiliano, Thanks a lot for your inputs!!! I am facing the issue # 1 even after disabling NIC segmentation features. Please find below the output of the ethtool command: -bash-4.1# ethtool -k eth1 Features for eth1: rx-checksumming: off tx-checksumming: off scatter-gather: off tcp-segmentation-offload: off udp-fragmentation-offload: off generic-segmentation-offload: off generic-receive-offload: off large-receive-offload: off rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off receive-hashing: off Please find below the stream5 configuration in my setup: preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5 preprocessor stream5_tcp: policy linux, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, max_queued_bytes 0, max_queued_segs 0,\ ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6633 6653 6665 6666 6667 6668 6669 \ 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465563555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 1158 122014141533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 3128 344337024000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7907 7000 7001 707171447145 7510 7802 7770 7777 7778 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ 7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 880088888899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 preprocessor stream5_udp: timeout 180 As mentioned earlier, I have Snort running in pcap mode, with following options: ./snort -A fast -b -d -k none -i eth1 --daq pcap --daq-var buffer_size=536870912 -u root -g root -c /etc/snort/snort.conf -l /var/log/snort -A unsock I am streaming the client side traffic only. Please let me know how should I debug this problem. The first issue has really become a bottleneck. Thanks and regards, Arun On Sat, Mar 28, 2015 at 6:59 PM, Emiliano Fausto < emiliano.fausto () gmail com> wrote:Hello Arun, I'd suggest you to read this article:http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.htmlI had similar troubles too some time ago because of it. Also depending on what you are trying to capture, this option could also be influencing the capture: -k *checksum-mode* Controls which packet checksums Snort computes and verifies. Valid checksum modes include all, noip, notcp, noudp, noicmp, and none. This can be used to eliminate packets that fail their checksums - causedeitherby network faults or IDS evasion attempts Maybe if your checksum is known to fail, you may put: "-k none" Hope it helps!! Regards, Emiliano. On Sat, Mar 28, 2015 at 1:34 AM, Arun Koshal <akoshal04 () gmail com>wrote:Hi, I have written a dynamic preprocessor for inspecting some custom application. This dynamic preprocessor depends on stream5 preprocessorfromgetting the TCP stream. I am using snort in PCAP mode. I am facing following very strange problems - 1. The data in the rebuilt stream given by stream5 does not match with the TCP sequence number. For example - for a given TCP packet thesequencenumber in packet (pkt->tcp_header->sequence) is 507351850, but thedata inpkt->payload is actually same as that of some old packet, having TCP sequence number 507343162. This scenario happens in case there are lotofpackets getting dropped. I confirmed this with wireshark packetcapture andI have observed multiple such instances. I also noticed that I amgettingall the packets in the same buffer (pkt->payload remains same for all packets). So it seems like that I am getting a new packet with newheaderbut old data. If I configure the pcap buffer_size as 512MB, thepackets donot drop and this problem does not happen. 2. The second problem that I faced was with the pcap snap_len. In my setup, I had snort running with default pcap snap_len. I noticed thatsnortwas not receiving packets having 1448 bytes data (1500 bytes, excluding Ethernet header). On reducing the MTU of the traffic generator from1500 to1484, Snort started receiving those packets. As a workaround, Iincreasedthe snap_len in sfdaq.c to 1546. Is this behaviour correct? It would be really great if someone can provide some inputs on these issues. Thanks and regards. Arun------------------------------------------------------------------------------Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and jointheconversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Tue, 31 Mar 2015 15:53:42 +0530 From: Arun Koshal <akoshal04 () gmail com> Subject: Re: [Snort-devel] Stream5 issue To: Emiliano Fausto <emiliano.fausto () gmail com> Cc: "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge net> Message-ID: < CAOUJN1C4fcLPAU+a94b_FAhAWvHk2zKni_SX3kKbz2cekT+w4A () mail gmail com> Content-Type: text/plain; charset="utf-8" Hi Emiliano, Thanks a lot for your inputs!!! This information is really helpful. I am still working on the first issue and any suggestions on that will really be helpful. In order to ensure that what I have implemented is correct, please find below few points elaborating the implementation: 1. Setting up the client side reassembly (this is done if pkt->stream_session_ptr is not NULL): *if (!(_dpd.streamAPI->get_reassembly_direction(pkt->stream_session_ptr) & SSN_DIR_FROM_CLIENT)) { _dpd.streamAPI->set_reassembly(pkt->stream_session_ptr, STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_FROM_CLIENT, STREAM_FLPOLICY_SET_ABSOLUTE); }* 2. Skip the packet if *(pkt->flags & FLAG_STREAM_INSERT)* is true. 3. I am processing the packets having *(pkt->flags & FLAG_REBUILT_STREAM)* set. 4. For stream rebuilt packets (FLAG_REBUILT_STREAM set), I am calling function _dpd.streamAPI->missing_in_reassembled() to check if there is any missing packet. In that case I am doing a cleanup of the application state and re-initializing it. This works fine if packet rate is not too high. On high packet rate, I start getting the second issue. To debug the issue I added code to match the TCP sequence numbers. But it was really surprising that I am getting old data with a new sequence number. I have handled the scenario of missing packets in my application code but this behaviour (old data with new sequence number) seems to be difficult to handle. Please suggest if I am missing something. Thanks again for your valuable inputs! Thanks and regards, Arun On Mon, Mar 30, 2015 at 7:05 PM, Emiliano Fausto < emiliano.fausto () gmail com> wrote:Hello Arun, I've found more information about your second issue, maybe these articles help. Link: https://wiki.wireshark.org/Development/LibpcapFileFormat It seems that you'll want to set the snaplen to the maximum sizepossible:"*A captured packet in a capture file does not necessarily contain all the data in the packet as it appeared on the network; the capture file might contain at most the first N bytes of each packet, for some value of N. The value of N, in such a capture, is called the "snapshot length"or"snaplen" of the capture. N might be a value larger than the largest possible packet, to ensure that no packet in the capture is "sliced"short;a value of 65535 will typically be used in this case.*" Link:http://www.sans.org/reading-room/whitepapers/detection/analysis-snort-data-acquisition-modules-34027It says: "*Snort developers recommend setting the snap length to the highest possible value since fragmented packets are defragmented before being moved to the QUEUE (Snort Team, daq-0.6.2 README):* * config snaplen: 65535* *Chris Murphy, chrismrph0 () gmail com <chrismrph0 () gmail com>* *With this maximum value, Snort will be sure to see the entire packet.*" Link:http://taosecurity.blogspot.com.ar/2005/04/using-snorts-k-option-i-was-looking.htmlIn this issue, the problem was caused because of the snap-len and the "k" option, which I see you have already setted, so it just validates you should leave it in -k none, but probably won't solve your second issue. In my opinion then, I think you are doing good in increasing the snaplen size, since it's even necessary in most cases. About the first problem I didn't try it, so I can't talk about it by now. If I find something I'll let you know. Hope it helps! Emiliano. On Mon, Mar 30, 2015 at 6:53 AM, Arun Koshal <akoshal04 () gmail com>wrote:Hi Emiliano, Thanks a lot for your inputs!!! I am facing the issue # 1 even after disabling NIC segmentationfeatures.Please find below the output of the ethtool command: -bash-4.1# ethtool -k eth1 Features for eth1: rx-checksumming: off tx-checksumming: off scatter-gather: off tcp-segmentation-offload: off udp-fragmentation-offload: off generic-segmentation-offload: off generic-receive-offload: off large-receive-offload: off rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off receive-hashing: off Please find below the stream5 configuration in my setup: preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5 preprocessor stream5_tcp: policy linux, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, max_queued_bytes 0, max_queued_segs 0,\ ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6633 6653 6665 6666 6667 6668 6669 \ 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 36 80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 555 591 593 631 636 801 808 818 901 972 989 992 993 994 995 115812201414 1533 1741 1830 1942 2231 2301 2381 2809 2980 3029 3037 3057 312834433702 4000 4343 4848 5000 5117 5250 5600 6080 6173 6988 7907 7000 700170717144 7145 7510 7802 7770 7777 7778 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ 7917 7918 7919 7920 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8333 8344 8500 8509 880088888899 8983 9000 9060 9080 9090 9091 9111 9290 9443 9999 10000 11371 12601 13014 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 preprocessor stream5_udp: timeout 180 As mentioned earlier, I have Snort running in pcap mode, with following options: ./snort -A fast -b -d -k none -i eth1 --daq pcap --daq-var buffer_size=536870912 -u root -g root -c /etc/snort/snort.conf -l /var/log/snort -A unsock I am streaming the client side traffic only. Please let me know how should I debug this problem. The first issue has really become a bottleneck. Thanks and regards, Arun On Sat, Mar 28, 2015 at 6:59 PM, Emiliano Fausto < emiliano.fausto () gmail com> wrote:Hello Arun, I'd suggest you to read this article:http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.htmlI had similar troubles too some time ago because of it. Also depending on what you are trying to capture, this option couldalsobe influencing the capture: -k *checksum-mode* Controls which packet checksums Snort computes and verifies. Valid checksum modes include all, noip, notcp, noudp, noicmp, and none. This can be used to eliminate packets that fail their checksums - causedeitherby network faults or IDS evasion attempts Maybe if your checksum is known to fail, you may put: "-k none" Hope it helps!! Regards, Emiliano. On Sat, Mar 28, 2015 at 1:34 AM, Arun Koshal <akoshal04 () gmail com> wrote:Hi, I have written a dynamic preprocessor for inspecting some custom application. This dynamic preprocessor depends on stream5preprocessor fromgetting the TCP stream. I am using snort in PCAP mode. I am facing following very strange problems - 1. The data in the rebuilt stream given by stream5 does not match with the TCP sequence number. For example - for a given TCP packet thesequencenumber in packet (pkt->tcp_header->sequence) is 507351850, but thedata inpkt->payload is actually same as that of some old packet, having TCP sequence number 507343162. This scenario happens in case there arelot ofpackets getting dropped. I confirmed this with wireshark packetcapture andI have observed multiple such instances. I also noticed that I amgettingall the packets in the same buffer (pkt->payload remains same for all packets). So it seems like that I am getting a new packet with newheaderbut old data. If I configure the pcap buffer_size as 512MB, thepackets donot drop and this problem does not happen. 2. The second problem that I faced was with the pcap snap_len. In my setup, I had snort running with default pcap snap_len. I noticed thatsnortwas not receiving packets having 1448 bytes data (1500 bytes,excludingEthernet header). On reducing the MTU of the traffic generator from1500 to1484, Snort started receiving those packets. As a workaround, Iincreasedthe snap_len in sfdaq.c to 1546. Is this behaviour correct? It would be really great if someone can provide some inputs on these issues. Thanks and regards. Arun------------------------------------------------------------------------------Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and jointheconversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!-------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ ------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel End of Snort-devel Digest, Vol 104, Issue 18 ********************************************
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-devel Digest, Vol 104, Issue 18 Muhammad Ridwan Zalbina (Mar 31)
- Re: Snort-devel Digest, Vol 104, Issue 18 Al Lewis (allewi) (Mar 31)