[unisog] Snort woes

Russell Fulton r.fulton at auckland.ac.nz
Mon Jan 24 04:35:22 GMT 2005


Hi Folks,
	 I have asked about these matters on both the snort users and
developers list and have not received any satisfying answers. So here I
go again...

Background:  this issue first came to my attention after moving to
2.3RC2 recently when I noticed large numbers of tagged packets appearing
in the log file. I could not figure out why the packets had been tagged.
After a lot of mucking around I went right back to release version of
2.2 and found that I now have the same problem with it.

The Problem: I am seeing tagged packets from rules that do not have tag
options.  In many cases I can not find anything in the logged packet (or
the tagged packets from the rest of the session) the should have
triggered the alert.

At first I thought that this was some problem in the RC2 release, then I
thought it must be something in barnyard/mysql.  I now have fast alerts
running as well as the unified output running as a check and I find that
the alerts are logged into the alert file so this rules out the
possibility that the problem is anywhere other than snort itself.

Here is an example: 

first packet....

META
--------
SID     CID     TimeStamp               Signature
4       164508  2005-01-24 16:53:31     BLEEDING-EDGE Malware Fun Web
Products Agent Traffic
Sig ID
2001034

Sensor Hostname                         Sensor Interface
jamjar  em0

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.191.183 64.233.161.99   4       5
TOS     length  ID      flags   offset  TTL     chksum
0       474     50827   2       0       63      20150

Resolved Source
gate1.ec.auckland.ac.nz

Resolved Dest
Could Not Resolve


TCP
--------
Source Port     Dest Port       Seq             Ack             
49271           80              4000873994      4185975058
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      5840    42548           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
474554202F7365617263    GET /searc
683F636C69656E743D6E    h?client=n
6176636C69656E742D61    avclient-a
75746F2663683D363633    uto&ch=663
37383133363426667265    781364&fre
73686E6573735F636865    shness_che
636B3D3462333234364F    ck=4b3246O
3857554970786B564747    8WUIpxkVGG
4B365470266971726E3D    K6Tp&iqrn=
396346266F7269673D30    9cF&orig=0
4A2669653D5554462D38    J&ie=UTF-8
266F653D5554462D3826    &oe=UTF-8&
66656174757265733D52    features=R
616E6B26713D696E666F    ank&q=info
3A687474702533412532    :http%3A%2
46253246777777253245    F%2Fwww%2E
6C696272617279253245    library%2E
6175636B6C616E642532    auckland%2
4561632532456E7A2532    Eac%2Enz%2
4620485454502F312E31    F HTTP/1.1
0D0A557365722D416765    ..User-Age
6E743A204D6F7A696C6C    nt: Mozill
612F342E302028636F6D    a/4.0 (com
70617469626C653B2047    patible; G
6F6F676C65546F6F6C62    oogleToolb
617220322E302E313134    ar 2.0.114
2E392D6269673B205769    .9-big; Wi
6E646F77732058502035    ndows XP 5
2E31290D0A486F73743A    .1)..Host:
20746F6F6C6261727175     toolbarqu
65726965732E676F6F67    eries.goog
6C652E636F2E6E7A0D0A    le.co.nz..
43616368652D436F6E74    Cache-Cont
726F6C3A206E6F2D6361    rol: no-ca
6368650D0A436F6F6B69    che..Cooki
653A20505245463D4944    e: PREF=ID
3D326233646537313336    =2b3de7136
386366346638363A4C44    8cf4f86:LD
3D656E3A544D3D313130    =en:TM=110
313432343732373A4C4D    1424727:LM
3D313130313432343732    =110142472
373A533D724A34635143    7:S=rJ4cQC
3750387573456E586C4F    7P8usEnXlO
0D0A0D0A        ....

DATA
--------
GET /search?client=navclient-auto&ch=663781364&freshness_che
ck=4b3246O8WUIpxkVGGK6Tp&iqrn=9cF&orig=0J&ie=UTF-8&oe=UTF-8&
features=Rank&q=info:http%3A%2F%2Fwww%2Elibrary%2Eauckland%2
Eac%2Enz%2F HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; G
oogleToolbar 2.0.114.9-big; Windows XP 5.1)..Host: toolbarqu
eries.google.co.nz..Cache-Control: no-cache..Cookie: PREF=ID
=2b3de71368cf4f86:LD=en:TM=1101424727:LM=1101424727:S=rJ4cQC
7P8usEnXlO....
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

second packet.....
META
--------
SID     CID     TimeStamp               Signature
4       164509  2005-01-24 16:53:36     tag: Tagged Packet
Sig ID
1

Sensor Hostname                         Sensor Interface
jamjar  em0

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.191.183 64.233.161.99   4       5
TOS     length  ID      flags   offset  TTL     chksum
0       522     50831   2       0       63      20098

Resolved Source
gate1.ec.auckland.ac.nz

Resolved Dest
Could Not Resolve


TCP
--------
Source Port     Dest Port       Seq             Ack             
49271           80              4000874895      4185975406
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      5840    6735            0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
474554202F7365617263    GET /searc
683F636C69656E743D6E    h?client=n
6176636C69656E742D61    avclient-a
75746F26676F6F676C65    uto&google
69703D4F3B3235302663    ip=O;250&c
683D3631333833353339    h=61383539
3837352666726573686E    875&freshn
6573735F636865636B3D    ess_check=
34756F69744C427A6553    4uoitLBzeS
4C5134475346727A7557    LQ4GSFrzuW
59266971726E3D596934    Y&iqrn=Yi4
266F7269673D30417138    &orig=0Aq8
342669653D5554462D38    4&ie=UTF-8
266F653D5554462D3826    &oe=UTF-8&
66656174757265733D52    features=R
616E6B26713D696E666F    ank&q=info
3A687474702533412532    :http%3A%2
46253246777777253245    F%2Fwww%2E
6C696272617279253245    library%2E
6175636B6C616E642532    auckland%2
4561632532456E7A2532    Eac%2Enz%2
46656A6F75726E616C73    Fejournals
253246726573756C7473    %2Fresults
25324561737025334620    %2Easp%3F 
485454502F312E310D0A    HTTP/1.1..
557365722D4167656E74    User-Agent
3A204D6F7A696C6C612F    : Mozilla/
342E302028636F6D7061    4.0 (compa
7469626C653B20476F6F    tible; Goo
676C65546F6F6C626172    gleToolbar
20322E302E3131342E39     2.0.114.9
2D6269673B2057696E64    -big; Wind
6F777320585020352E31    ows XP 5.1
290D0A486F73743A2074    )..Host: t
6F6F6C62617271756572    oolbarquer
6965732E676F6F676C65    ies.google
2E636F2E6E7A0D0A4361    .co.nz..Ca
6368652D436F6E74726F    che-Contro
6C3A206E6F2D63616368    l: no-cach
650D0A436F6F6B69653A    e..Cookie:
20505245463D49443D32     PREF=ID=2
62336465373133363863    b3de71368c
66346638363A4C443D65    f4f86:LD=e
6E3A544D3D3131303134    n:TM=11014
32343732373A4C4D3D31    24727:LM=1
3130313432343732373A    101424727:
533D724A346351433750    S=rJ4cQC7P
387573456E586C4F0D0A    8usEnXlO..
0D0A    ..

DATA
--------
GET /search?client=navclient-auto&googleip=O;250&ch=61383539
875&freshness_check=4uoitLBzeSLQ4GSFrzuWY&iqrn=Yi4&orig=0Aq8
4&ie=UTF-8&oe=UTF-8&features=Rank&q=info:http%3A%2F%2Fwww%2E
library%2Eauckland%2Eac%2Enz%2Fejournals%2Fresults%2Easp%3F 
HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; GoogleToolbar
 2.0.114.9-big; Windows XP 5.1)..Host: toolbarqueries.google
.co.nz..Cache-Control: no-cache..Cookie: PREF=ID=2b3de71368c
f4f86:LD=en:TM=1101424727:LM=1101424727:S=rJ4cQC7P8usEnXlO..
..
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

the rule triggers on content:"FunWebProducts\;"

This particular rule is very prone to the problem but I see others as
well including snort.org rules.

I am also seeing this problem on two different sensors so it does not
appear to be anything to do with the particular installation.

If anyone has any ideas on what might be causing this or suggestions for
debugging I'd be delighted to hear them.  I'd also like to know if
anyone else has see anything similar, to reassure me that I have not
completely lost it.

Cheers, Russell. 




More information about the unisog mailing list