Snort mailing list archives
Re: missing alerts: Snort does not inspect payload from the machine it's running on?
From: Claus Regelmann <rgc () rgc1 inka de>
Date: Fri, 08 Apr 2016 21:19:57 +0200
I dove into the source code and eventually found a solution that work at least in 'my' environment: Packet error are checked in function "Preprocess" (file decode.c). This checking includes checksum error. If a packet comes from a local process, and is captured before it goes on to the real HW, is there a valid checksum? It does not seem so! I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch: -- 8< ------------ >8 -- diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c --- snort-2.9.8.2/src/detect.c 2016-03-18 14:54:31.000000000 +0100 +++ snort-2.9.8.2-cr/src/detect.c 2016-04-08 16:04:47.000000000 +0200 @@ -199,15 +199,14 @@ #endif // If the packet has errors, we won't analyze it. - if ( p->error_flags ) + if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors { // process any decoder alerts now that policy has been selected... DecodePolicySpecific(p); //actions are queued only for IDS case sfActionQueueExecAll(decoderActionQ); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, - "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);); + LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags); if ( p->error_flags & PKT_ERR_BAD_TTL ) pc.bad_ttl++; -- 8< ------------ >8 -- Shouldn't DAQ revise this checksum problem before ? -------------- Claus Regelmann On 03/19/2016 12:15 AM, Claus Regelmann wrote:
Hello, my snort runs on a small ATOM-based firewall between the internet router and the internal net. +------------- + +----------+ | (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net +--------------+ ^ ^ +----------+ 192.168.178.1 + |192.168.178.240 +-- snort listen here in passive mode Test cases: 1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall. The result is OK, two alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90832) [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 2016-03-18 03:22:19.993 192.168.178.240:40533 87.106.18.216:4483 TCP #1-(1-90830) [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 2016-03-18 03:17:02.652 10.1.1.5:53410 87.106.18.216:4483 TCP --8< ------ >8-- 2.) The router hosts a DNS-forwarder. I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host. But now only the query from the internal host alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90896) [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org 2016-03-18 22:44:06.68 10.1.1.5:54346 192.168.178.1:53 UDP --8< ------ >8-- 3.) I wrote a small test rule: 'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'. I run 'wget http://...../abcdef01/zzz' on the firewall and the internal host. Again, only the internal case alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90897) [snort] RgC: TEST pattern found 2016-03-18 23:06:51.482 10.1.1.5:37733 193.99.144.85:80 TCP --8< ------ >8-- The 1st case only inspects header informations. The last two cases need the payload. * Has anybody an idea, what's going wrong here ??? * I run snort version 2.9.7.6, self-compiled from sources (LFS). My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]' Thank You Claus Regelmann ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Claus Regelmann (Apr 08)