LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Snort rules created to search content in payload it is not showing alerts (https://www.linuxquestions.org/questions/linux-security-4/snort-rules-created-to-search-content-in-payload-it-is-not-showing-alerts-810811/)

dalgas 05-28-2010 05:04 PM
Snort rules created to search content in payload it is not showing alerts
 
Hi.. Im new using Snort.
I've capture some traffic with tcpdump and analyzed in Wireshark and create some rules.Im using xubuntu 9.10

alert tcp any any -> any any (msg:"GET request to tracker";flow:to_server,established;content: "GET"; offset:0;depth:5;sid:1000000;rev:1;)

After running with snort ... I'm watching BASE to see the alerts .. but nothing about my rules .I know that this rule is right.The only thing that can be wrong is the snort.conf file.

Can someone help me.... please?

Code:
#
 var HOME_NET 192.168.1.2
#
# if Snort is built with IPv6 support enabled (--enable-ipv6), use:
#
# ipvar HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
####### para trabalhar com o bar

# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET !$HOME_NET

 

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of telnet servers on your network
var FTP_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on.  For
# example, if you run a web server on port 8180, set your HTTP_PORTS variable
# like this:
#
# portvar HTTP_PORTS 8180
#
# Ports you run web servers on
portvar HTTP_PORTS 80

# NOTE:  If you wish to define multiple HTTP ports, use the portvar
# syntax to represent lists of ports and port ranges.  Examples:
## portvar HTTP_PORTS [80,8080]
## portvar HTTP_PORTS [80,8000:8080]
# And only include the rule that uses $HTTP_PORTS once.
#
# The pre-2.8.0 approach of redefining the variable to a different port and
# including the rules file twice is obsolete.  See README.variables for

var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules





preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252


preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 server_flow_depth 1460




preprocessor ftp_telnet: global \
  encrypted_traffic yes \
  inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
  normalize \
  ayt_attack_thresh 200

preprocessor ftp_telnet_protocol: ftp server default \
  def_max_param_len 100 \
  alt_max_param_len 200 { CWD } \
  cmd_validity MODE < char ASBCZ > \
  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
  chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
  telnet_cmds yes \
  data_chan

preprocessor ftp_telnet_protocol: ftp client default \
  max_resp_len 256 \
  bounce yes \
  telnet_cmds yes


preprocessor smtp: \
  ports { 25 587 691 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }



preprocessor sfportscan: proto  { all } \
                        memcap { 10000000 } \
                        sense_level { low }

preprocessor dcerpc2
preprocessor dcerpc2_server: default



preprocessor dns: \
    ports { 53 } \
    enable_rdata_overflow



include reference.config


include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/diana.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

unSpawn 05-29-2010 06:15 AM
And what if you configure Snort to output to plain text logs instead and watch those and make it trip the rule?

dalgas 05-29-2010 08:46 AM
[B]Thank you for answer me :)
But the thing is ..when I try a basic rule like
alert tcp any any -> any any (msg:"Test";)
is working (I can see the alerts in BASE).
However when I try something that involves the payload like

alert tcp any any -> any any (msg:"scrap request to the tracker!!!!!!!!!!!!!!!!!!!"; content :"GET";)

doesn't work. Do I need to add anything to snort.conf when I want to use the keyword content ?

sudo snort -c /etc/snort/snort.conf -r /home/dalgas/Desktop/BitTorrent/trafego_BitTorrent/trafegoBit.cap

dalgas 05-29-2010 09:36 AM
Code:
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
PortVar 'FTP_PORTS' defined :  [ 21 ]
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:  1
    Fragment Problems: 1
    Overlap Limit:    10
    Min fragment Length:    0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      514 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2401 client (Footprint)
      3306 client (Footprint)
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:      NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Server Flow Depth: 1460
      Client Flow Depth: 1000
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 1000
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:  36900
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: OFF
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: OFF
        Max Response Length: 256
SMTP Config:
    Ports: 25 587 691
    Inspection Type: Stateful
    Normalize: EXPN RCPT VRFY
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
      ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
      RCPT:300 VRFY:255
    Max Header Line Length: Unlimited
    Max Response Line Length: Unlimited
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
SSH config:
    Autodetection: DISABLED
    Challenge-Response Overflow Alert: ENABLED
    SSH1 CRC32 Alert: ENABLED
    Server Version String Overflow Alert: ENABLED
    Protocol Mismatch Alert: ENABLED
    Bad Message Direction Alert: DISABLED
    Bad Payload Size Alert: DISABLED
    Unrecognized Version Alert: DISABLED
    Max Encrypted Packets: 20 
    Max Server Version String Length: 80 (Default)
    MaxClientBytes: 19600 (Default)
    Ports:
        22
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 102400 KB
    Events: none
  Server Default Configuration
    Policy: WinXP
    Detect ports
      SMB: 139 445
      TCP: 135
      UDP: 135
      RPC over HTTP server: 593
      RPC over HTTP proxy: None
    Autodetect ports
      SMB: None
      TCP: 1025-65535
      UDP: 1025-65535
      RPC over HTTP server: 1025-65535
      RPC over HTTP proxy: None
    Maximum SMB command chaining: 3 commands
DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      992      993      994      995
    Server side data is trusted

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Warning: /etc/snort/rules/sql.rules(69) => threshold (in rule) is deprecated; use detection_filter instead.
2486 Snort rules read
    2486 detection rules
    0 decoder rules
    0 preprocessor rules
2486 Option Chains linked into 191 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|            tcp    udp    icmp      ip
|    src      83      12      0      0
|    dst    2139    113      0      0
|    any      65      44      47      17
|      nc      19      7      14      15
|    s+d      3      3      0      0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
| none
+-----------------------[event-filter-local]-----------------------------------
| gen-id=1      sig-id=2496      type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2495      type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2275      type=Threshold tracking=dst count=5  seconds=60
| gen-id=1      sig-id=3152      type=Threshold tracking=src count=5  seconds=2 
| gen-id=1      sig-id=3273      type=Threshold tracking=src count=5  seconds=2 
| gen-id=1      sig-id=2494      type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2923      type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=2924      type=Threshold tracking=dst count=10  seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Verifying Preprocessor Configurations!
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
27 out of 512 flowbits in use.
TCPDUMP file reading mode.
Reading network traffic from "/home/di/Desktop/BitTorrent/trafego_BitTorrent/trafegoBit.cap" file.
snaplen = 1000
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:          host = localhost
database:          user = snort
database:  database name = snort
database:    sensor name = unknown:[reading from a file]
database:      sensor id = 5
database:  data encoding = hex
database:  detail level = full
database:    ignore_bpf = no
database: using the "log" facility

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]------------------------------
| Instances        : 166
| Patterns        : 9460
| Pattern Chars    : 75995
| Num States      : 45248
| Num Match States : 6546
| Memory          :  1.32Mbytes
|  Patterns      :  0.29M
|  Match Lists    :  0.33M
|  Transitions    :  0.67M
+-------------------------------------------------

        --== Initialization Complete ==--

  ,,_    -*> Snort! <*-
  o"  )~  Version 2.8.5.3 (Build 124) 
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2009 Sourcefire, Inc., et al.
          Using PCRE version: 7.8 2008-09-05

          Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.12  <Build 17>
          Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
          Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
          Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
          Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
          Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0  <Build 1>
          Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
          Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
          Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
Not Using PCAP_FRAMES
Run time for packet processing was 1.1659 seconds
database: Closing connection to database "snort"
===============================================================================
Snort processed 366984 packets.
===============================================================================
Breakdown by protocol (includes rebuilt packets):
      ETH: 366984    (100.000%)
  ETHdisc: 0          (0.000%)
    VLAN: 0          (0.000%)
    IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 366586    (99.892%)
  IP4disc: 31573      (8.603%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 321514    (87.610%)
      UDP: 13497      (3.678%)
    ICMP: 2          (0.001%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
    FRAG: 0          (0.000%)
  FRAG 6: 0          (0.000%)
      ARP: 398        (0.108%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 31573      (8.603%)
InvChkSum: 287410    (78.317%)
  S5 G 1: 0          (0.000%)
  S5 G 2: 0          (0.000%)
    Total: 366984   
===============================================================================
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
===============================================================================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
              Discards: 0
          Memory Faults: 0
              Timeouts: 0
              Overlaps: 0
              Anomalies: 0
                Alerts: 0
                  Drops: 0
    FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
    Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
            Total sessions: 46
              TCP sessions: 46
              UDP sessions: 0
            ICMP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
              ICMP Prunes: 0
TCP StreamTrackers Created: 113
TCP StreamTrackers Deleted: 113
              TCP Timeouts: 73
              TCP Overlaps: 0
      TCP Segments Queued: 0
    TCP Segments Released: 0
      TCP Rebuilt Packets: 0
        TCP Segments Used: 0
              TCP Discards: 0
      UDP Sessions Created: 0
      UDP Sessions Deleted: 0
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
          Internal Events: 0
          TCP Port Filter
                  Dropped: 0
                Inspected: 0
                  Tracked: 34104
          UDP Port Filter
                  Dropped: 0
                Inspected: 0
                  Tracked: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                  0       
    GET methods:                    0       
    Headers extracted:              0       
    Header Cookies extracted:      0       
    Post parameters extracted:      0       
    Unicode:                        0       
    Double unicode:                0       
    Non-ASCII representable:        0       
    Base 36:                        0       
    Directory traversals:          0       
    Extra slashes ("//"):          0       
    Self-referencing paths ("./"):  0       
    Total packets processed:        1430     
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 0
===============================================================================
===============================================================================
Snort exiting
di@ddc:/etc/snort/rules$ clear

di@ddc:/etc/snort/rules$ sudo snort -c /etc/snort/snort.conf -r /home/di/Desktop/BitTorrent/trafego_BitTorrent/trafegoBit.cap
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1521 ]
PortVar 'FTP_PORTS' defined :  [ 21 ]
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:  1
    Fragment Problems: 1
    Overlap Limit:    10
    Min fragment Length:    0
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 8192
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: INACTIVE
    Track ICMP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
Stream5 TCP Policy config:
    Reassembly Policy: FIRST
    Timeout: 30 seconds
    Min ttl:  1
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Static Flushpoint Sizes: YES
    Reassembly Ports:
      21 client (Footprint)
      23 client (Footprint)
      25 client (Footprint)
      42 client (Footprint)
      53 client (Footprint)
      80 client (Footprint)
      110 client (Footprint)
      111 client (Footprint)
      135 client (Footprint)
      136 client (Footprint)
      137 client (Footprint)
      139 client (Footprint)
      143 client (Footprint)
      445 client (Footprint)
      513 client (Footprint)
      514 client (Footprint)
      1433 client (Footprint)
      1521 client (Footprint)
      2401 client (Footprint)
      3306 client (Footprint)
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:      NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Server Flow Depth: 1460
      Client Flow Depth: 1000
      Max Chunk Length: 500000
      Max Header Field Length: 0
      Max Number Header Fields: 0
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 1000
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Normalize HTTP Cookies: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:  36900
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23
      Are You There Threshold: 200
      Normalize: YES
      Detect Anomalies: NO
    FTP CONFIG:
      FTP Server: default
        Ports: 21
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: OFF
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: OFF
        Max Response Length: 256
SMTP Config:
    Ports: 25 587 691
    Inspection Type: Stateful
    Normalize: EXPN RCPT VRFY
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length:
      ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
      RCPT:300 VRFY:255
    Max Header Line Length: Unlimited
    Max Response Line Length: Unlimited
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
SSH config:
    Autodetection: DISABLED
    Challenge-Response Overflow Alert: ENABLED
    SSH1 CRC32 Alert: ENABLED
    Server Version String Overflow Alert: ENABLED
    Protocol Mismatch Alert: ENABLED
    Bad Message Direction Alert: DISABLED
    Bad Payload Size Alert: DISABLED
    Unrecognized Version Alert: DISABLED
    Max Encrypted Packets: 20 
    Max Server Version String Length: 80 (Default)
    MaxClientBytes: 19600 (Default)
    Ports:
        22
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 102400 KB
    Events: none
  Server Default Configuration
    Policy: WinXP
    Detect ports
      SMB: 139 445
      TCP: 135
      UDP: 135
      RPC over HTTP server: 593
      RPC over HTTP proxy: None
    Autodetect ports
      SMB: None
      TCP: 1025-65535
      UDP: 1025-65535
      RPC over HTTP server: 1025-65535
      RPC over HTTP proxy: None
    Maximum SMB command chaining: 3 commands
DNS config:
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      992      993      994      995
    Server side data is trusted

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Warning: /etc/snort/rules/sql.rules(69) => threshold (in rule) is deprecated; use detection_filter instead.
2486 Snort rules read
    2486 detection rules
    0 decoder rules
    0 preprocessor rules
2486 Option Chains linked into 191 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|            tcp    udp    icmp      ip
|    src      83      12      0      0
|    dst    2139    113      0      0
|    any      65      44      47      17
|      nc      19      7      14      15
|    s+d      3      3      0      0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
| none
+-----------------------[event-filter-local]-----------------------------------
| gen-id=1      sig-id=2496      type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=3152      type=Threshold tracking=src count=5  seconds=2 
| gen-id=1      sig-id=2494      type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2923      type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=2495      type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=3273      type=Threshold tracking=src count=5  seconds=2 
| gen-id=1      sig-id=2275      type=Threshold tracking=dst count=5  seconds=60
| gen-id=1      sig-id=2924      type=Threshold tracking=dst count=10  seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->alert->log
Verifying Preprocessor Configurations!
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked.
27 out of 512 flowbits in use.
TCPDUMP file reading mode.
Reading network traffic from "/home/di/Desktop/BitTorrent/trafego_BitTorrent/trafegoBit.cap" file.
snaplen = 1000
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:          host = localhost
database:          user = snort
database:  database name = snort
database:    sensor name = unknown:[reading from a file]
database:      sensor id = 5
database:  data encoding = hex
database:  detail level = full
database:    ignore_bpf = no
database: using the "log" facility

OlRoy 05-29-2010 09:55 AM
I haven't tried it, but you might want to try adding this rule to local.rules:

Code:
alert tcp any any -> any any (msg:"GET request to tracker";flow:to_server,established;content: "GET"; http_method; sid:1000000; rev:1;)
Then make sure you kill snort and then restart it. Even if it works, you'd get too many false positives for it to be useful. Better rules for detecting P2P traffic (and more) are available at EmergingThreats.

dalgas 05-29-2010 11:00 AM
It is not working.
Tell me something .. I've installed snort and in the snort.conf file and I just change the HOME_NET, EXTERNAL_NET and

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 1000 server_flow_depth 1460 client_flow_depth 1000

nothing else. Do I need to add something so that Snort is able to read the payload?
Because the problem here is that Snort is not using the content keyword.

thanks for your answers ...

unSpawn 05-29-2010 05:46 PM
Quote:
Originally Posted by dalgas (Post 3985473)
Do I need to add something so that Snort is able to read the payload?
No, Snort reads payload contents by default.


Quote:
Originally Posted by dalgas (Post 3985473)
the problem here is that Snort is not using the content keyword.
The problem might be your rule. Maybe it would be easier (if this isn't homework) to post how you devised your rule, meaning based on what packet payload. Post a pcap with the conversation if you like. Also see see the /etc/snort/(rules/)p2p.rules file.

dalgas 05-29-2010 06:45 PM
Ok! There it goes ... a trace from Wireshark and the rules created:

00000000 64 31 3a 61 64 32 3a 69 64 32 30 3a 84 d1 42 52 d1:ad2:i d20:..BR
00000010 6a a6 50 da 29 70 0e ec 8b 5d d2 5f c7 69 42 af j.P.)p.. .]._.iB.
00000020 65 31 3a 71 34 3a 70 69 6e 67 31 3a 74 34 3a 05 e1:q4: pi ng1:t4:.
00000030 31 00 00 31 3a 76 34 3a 55 54 46 af 31 3a 79 31 1..1:v4: UTF.1:y1
00000040 3a 71 65 :qe

This rule is to detect the ping word in the trace 70 69 6e 67

alert udp $HOME_NET any → $EXTERNAL_NET any (msg:”DHT ping detected”;content:”d1\:ad2\id20\.”; offset:0;depth:11;sid:1000007; )


alert udp $HOME_NET any → $EXTERNAL_NET any (msg:”DHT ping detected”;content:”ping.”; offset:39;depth:4;sid:1000008; )
-------------------------------------------------------------------------------------------------------------

To be notice that I've tried with the rules defined in p2p.rules and I can't see alerts in BASE too... like for instance:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype: policy-violation; sid:2180; rev:2; )



Do you think it is possible that Snort is not properly installed?

Because when I try this basic rule without content ..... it shows many alerts (all tcp connections) proving me that BASE is working, in this case, fine.

alert tcp any any -> any any (msg:"Test!!!";sid:1000003; );

Thanks a lot for helping me :D

OlRoy 05-30-2010 06:41 AM
You posted this from your snort output earlier:

Code:
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                  0       
    GET methods:                    0
Are you sure there is HTTP traffic in your pcap?

dalgas 05-30-2010 10:20 AM
Yes I'm sure ...its a trace from BitTorrent that has mainly TCP and UDP...


All times are GMT -5. The time now is 03:49 AM.