Snort mailing list archives
Re: missing alerts: Snort does not inspect payload from the machine it's running on?
From: Y M <snort () outlook com>
Date: Tue, 12 Apr 2016 10:35:34 +0000
Are you using the "-k none" on production? It is "usually" preferred to use this option on/while testing rather than in production. What is the checksum option in your snort.conf? In this case, the only potential candidate problem is the NIC checksum, offloading stuff. Use ethtool to disable these lro, gro, etc.. And then test again without the "-k none" YM Sent from Mobile On Mon, Apr 11, 2016 at 3:37 PM -0700, "Claus Regelmann" <rgc () rgc1 inka de<mailto:rgc () rgc1 inka de>> wrote: But there are lots of 'false-positives', concering DNS, if I use the runtime option "-k none". About 300 within 10 minutes. Claus ----------------- <<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_a> Signature
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=sig_d>
<<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_a> Classification
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=class_d>
<<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_a> Total #
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=occur_d> Sensor #
<<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_a> Source Address
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=saddr_d>
<<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_a> Dest. Address
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=daddr_d>
<<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_a> First
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=first_d>
<<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_a> Last
<http://rgc1/base/base_stat_alerts.php?caller=&sort_order=last_d>
[cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS10-024>] [snort<http://www.snort.org/search/sid/3-21355>] PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid attempted-recon 187<http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1&submit=Query+DB&num_result_rows=-1>(67%) 1<http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40255&sig_type=1> 103<http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255> 1<http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40255> 2016-04-10 12:59:06.542 2016-04-10 13:05:51.522 [cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS11-040>] [snort<http://www.snort.org/search/sid/3-19187>] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt attempted-user 92<http://rgc1/base/base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1&submit=Query+DB&num_result_rows=-1>(33%) 1<http://rgc1/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=40274&sig_type=1> 50<http://rgc1/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274> 1<http://rgc1/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=40274> 2016-04-10 12:57:29.458 2016-04-10 13:05:52.782 Ex 1: Meta ID # Time Triggered Signature 1 - 71408 2016-04-10 13:05:52.782 [cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1889>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2011-1889>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS11-040>] [snort<http://www.snort.org/search/sid/3-19187>] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt Sensor Sensor Address Interface Filter rgc1:eth0 eth0 none Alert Group none IP Source Address Dest. Address Ver Hdr Len TOS length ID fragment offset TTL chksum 204.13.251.13<http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.13&netmask=32> 192.168.178.240<http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32> 4 20 0 200 2679 no 0 54 65273 = 0xfef9 Options none UDP source port dest port length 53 [sans<http://isc.sans.org/port.html?port=53>] [tantalo<http://ports.tantalo.net/?q=53>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53>] 1874 [sans<http://isc.sans.org/port.html?port=1874>] [tantalo<http://ports.tantalo.net/?q=1874>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=1874>] 180 Payload Plain Display<http://rgc1/base/base_qry_alert.php?submit=%230-%281-71408%29&sort_order=&asciiclean=1> Download of Payload<http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=1&cid=71408&sid=1&asciiclean=0> Download in pcap format<http://rgc1/base/base_payload.php?submit=%230-%281-71408%29&download=3&cid=71408&sid=1&asciiclean=0> length = 172 000 : 2A 12 84 00 00 01 00 08 00 00 00 01 02 65 31 08 *............e1. 010 : 77 68 61 74 73 61 70 70 03 6E 65 74 00 00 01 00 whatsapp.net.... 020 : 01 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE ................ 030 : A8 C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D D6 ..............-. 040 : E5 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE ................ 050 : A9 C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C0 DE ................ 060 : AB C0 0C 00 01 00 01 00 00 0E 10 00 04 9E 55 3A ..............U: 070 : 4D C0 0C 00 01 00 01 00 00 0E 10 00 04 A9 2D DB M.............-. 080 : FD C0 0C 00 01 00 01 00 00 0E 10 00 04 AD C1 CD ................ 090 : 18 C0 0C 00 01 00 01 00 00 0E 10 00 04 AE 24 D2 ..............$. 0a0 : 2E 00 00 29 10 00 00 00 80 00 00 00 ...)........ Ex 2: Meta ID # Time Triggered Signature 1 - 71407 2016-04-10 13:05:51.522 [cve<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1690>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2010-1690>] [url<http://technet.microsoft.com/en-us/security/bulletin/MS10-024>] [snort<http://www.snort.org/search/sid/3-21355>] PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid Sensor Sensor Address Interface Filter rgc1:eth0 eth0 none Alert Group none IP Source Address Dest. Address Ver Hdr Len TOS length ID fragment offset TTL chksum 204.13.251.3<http://rgc1/base/base_stat_ipaddr.php?ip=204.13.251.3&netmask=32> 192.168.178.240<http://rgc1/base/base_stat_ipaddr.php?ip=192.168.178.240&netmask=32> 4 20 0 88 32280 no 0 54 35794 = 0x8bd2 Options none UDP source port dest port length 53 [sans<http://isc.sans.org/port.html?port=53>] [tantalo<http://ports.tantalo.net/?q=53>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=53>] 30215 [sans<http://isc.sans.org/port.html?port=30215>] [tantalo<http://ports.tantalo.net/?q=30215>] [sstats<http://www.securitystats.com/tools/portsearch.php?type=port&select=any&Submit=Submit&input=30215>] 68 Payload Plain Display<http://rgc1/base/base_qry_alert.php?submit=%20Next%20%23185-%281-71407%29&sort_order=&asciiclean=1> Download of Payload<http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=1&cid=71407&sid=1&asciiclean=0> Download in pcap format<http://rgc1/base/base_payload.php?submit=%20Next%20%23185-%281-71407%29&download=3&cid=71407&sid=1&asciiclean=0> length = 60 000 : FB 71 84 00 00 01 00 01 00 00 00 01 0B 73 6F 75 .q...........sou 010 : 72 63 65 66 6F 72 67 65 03 6E 65 74 00 00 01 00 rceforge.net.... 020 : 01 C0 0C 00 01 00 01 00 00 01 2C 00 04 D8 22 B5 ..........,...". 030 : 3C 00 00 29 10 00 00 00 80 00 00 00 <..)........ On 04/08/2016 11:39 PM, Claus Regelmann wrote: great hint!!! I didn't realize the impacts of this option before. THANKS Claus On 04/08/2016 10:22 PM, Y M wrote:> Would using "-k none" when running Snort helps?
YM ________________________________________
On 04/08/2016 10:22 PM, Y M wrote: Would using "-k none" when running Snort helps? YM ________________________________________ From: Claus Regelmann <rgc () rgc1 inka de><mailto:rgc () rgc1 inka de> Sent: Friday, April 8, 2016 7:19 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] missing alerts: Snort does not inspect payload from the machine it's running on? I dove into the source code and eventually found a solution that work at least in 'my' environment: Packet error are checked in function "Preprocess" (file decode.c). This checking includes checksum error. If a packet comes from a local process, and is captured before it goes on to the real HW, is there a valid checksum? It does not seem so! I masked checksum error in "Preprocess" ... it works. Here is my (1st) patch: -- 8< ------------ >8 -- diff -Naur snort-2.9.8.2/src/detect.c snort-2.9.8.2-cr/src/detect.c --- snort-2.9.8.2/src/detect.c 2016-03-18 14:54:31.000000000 +0100 +++ snort-2.9.8.2-cr/src/detect.c 2016-04-08 16:04:47.000000000 +0200 @@ -199,15 +199,14 @@ #endif // If the packet has errors, we won't analyze it. - if ( p->error_flags ) + if ( p->error_flags & ~PKT_ERR_CKSUM_ANY ) // RgC: ignore chksum errors { // process any decoder alerts now that policy has been selected... DecodePolicySpecific(p); //actions are queued only for IDS case sfActionQueueExecAll(decoderActionQ); - DEBUG_WRAP(DebugMessage(DEBUG_DETECT, - "Packet errors = 0x%x, ignoring traffic!\n", p->error_flags);); + LogMessage("RgC::detect.c:Prepocess: Packet errors = 0x%x, ignoring traffic!\n", p->error_flags); if ( p->error_flags & PKT_ERR_BAD_TTL ) pc.bad_ttl++; -- 8< ------------ >8 -- Shouldn't DAQ revise this checksum problem before ? -------------- Claus Regelmann On 03/19/2016 12:15 AM, Claus Regelmann wrote: Hello, my snort runs on a small ATOM-based firewall between the internet router and the internal net. +------------- + +----------+ | (NAT) router | <--192.168.178.0/24--> | firewall | <--10.1.0.0/16--> privat-net +--------------+ ^ ^ +----------+ 192.168.178.1 + |192.168.178.240 +-- snort listen here in passive mode Test cases: 1.) I run 'openssl s_client ...' to connect to a Dridex-CnC. I run this twice, from an internal host and from the firewall. The result is OK, two alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90832) [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 2016-03-18 03:22:19.993 192.168.178.240:40533 87.106.18.216:4483 TCP #1-(1-90830) [snort] Feodo Tracker: potential Feodo CnC Traffic to compromised webserver detected (version D) 2016-03-18 03:17:02.652 10.1.1.5:53410 87.106.18.216:4483 TCP --8< ------ >8-- 2.) The router hosts a DNS-forwarder. I run 'host 0if1nl6.org 192.168.178.1' to lookup a zeus host, again from the firewall and the internal host. But now only the query from the internal host alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90896) [snort] ZeuS Tracker: ZeuS CnC DNS lookup: 0if1nl6.org 2016-03-18 22:44:06.68 10.1.1.5:54346 192.168.178.1:53 UDP --8< ------ >8-- 3.) I wrote a small test rule: 'alert tcp $HOME_NET any -> any 80 (msg:"RgC: TEST pattern found"; pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000007; rev:1;)'. I run 'wget http://...../abcdef01/zzz' on the firewall and the internal host. Again, only the internal case alerts: --8< ------ >8-- ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(1-90897) [snort] RgC: TEST pattern found 2016-03-18 23:06:51.482 10.1.1.5:37733 193.99.144.85:80 TCP --8< ------ >8-- The 1st case only inspects header informations. The last two cases need the payload. * Has anybody an idea, what's going wrong here ??? * I run snort version 2.9.7.6, self-compiled from sources (LFS). My home-net is set to 'ipvar HOME_NET [192.168.178.240,10.1.0.0/16]' Thank You Claus Regelmann ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Claus Regelmann (Apr 08)
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Y M (Apr 08)
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Claus Regelmann (Apr 08)
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Claus Regelmann (Apr 11)
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Y M (Apr 12)
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Claus Regelmann (Apr 08)
- Re: missing alerts: Snort does not inspect payload from the machine it's running on? Y M (Apr 08)