Re: [Snort-users] snort mixes multiple (unrelated) payloads into one alert

http://marc.theaimsgroup.com/?l=snort-users&m=114790291424807&w=2



On Fri, Jul 21, 2006 at 03:05:11PM -0400, Gentoo-Wally wrote:
> I have this exact same problem all the time, and it is driving me nuts
> too. I see it both on snort proper and snort based commercial systems.
> The vast majority of the time i see SMB and web traffic all mixed
> together. I'm convinced it has something to do with stream4 and flush
> behavior. I notice you see this a lot if you are using 'flush_behavior
> large_window', but I still see this even when not using large_window.
> I would love to know the answer to this question.
>
>
> I think this brings up another important issue which is the lack of
> tuning and "why" documentation (at least I have not found any yet).
> The snort documentation is very good at providing configuration
> options documentation, but I would love to see some good preprocessor
> tuning documentation.
>
> Take the stream4 flush behavior options for example. The snort docs
> definitely tell you what they are and what they do, but I've never
> found any documentation about the thought process behind choosing one
> over the other. What do you gain when you chooses favor_new or
> favor_old? What do you lose by choosing one over the other? Are you
> opening your self to evasion techniques by choosing one over the
> other? Is it a good idea to zero_flushed_packets? If so why?
>
> I'm definitely not trying to say that this type of documentation is a
> responsibility of Sourcefire/Snort or anything like that. I'm just
> surprised that it doesn't exist at all.
>
> just my $.02
>
> Wally
>
> On 7/21/06, Eric J. Bowser <ebowser@neobright.net> wrote:
> > Hello,
> >
> > I have a couple of dozen individual snort sensors that are all having the
> > same problem.  When one of them logs an alert, it seems to quite frequently
> > mix payload data from other unrelated packets into that alert.
> >
> > For example, below is a packet alerted on, it is an FTP signature, and
> > portions of the payload are obviously HTTP traffic.  The destination host
> > does not even run an HTTP service.  This happens on many different
> > signatures; I can see no pattern to it.  This is driving me nuts with false
> > positives as well as making investigation very difficult.
> >
> > Any help anybody can lend is greatly appreciated.
> >
> > #(18 - 16565706) [2006-07-20 00:23:55]  FTP format string attempt
> > IPv4: 202.180.175.138 -> 10.24.7.111
> >       hlen=5 TOS=16 dlen=225 ID=0 flags=0 offset=0 TTL=240 chksum=0
> > TCP:  port=43606 -> dport: 21  flags=***AP*** seq=2041221560
> >       ack=594432217 off=5 res=0 win=1460 urp=0 chksum=0
> > Payload:  length = 185
> >
> > 000 : 47 45 54 20 2F 62 2F 73 73 2F 6D 73 6E 70 6F 72   GET /b/ss/msnpor
> > 010 : 74 61 6C 65 61 72 74 68 2F 31 2F 48 2E 31 2D 70   talearth/1/H.1-p
> > 020 : 64 52 4D 44 20 73 61 72 63 61 78 78 6F 0D 0A 55   dRMD sarcaxxo..U
> > 030 : 53 45 52 20 41 64 6D 69 6E 69 73 74 72 61 74 6F   SER Administrato
> > 040 : 72 0D 0A 31 39 2F 36 2F 32 30 30 36 25 32 30 32   r..19/6/2006%202
> > 050 : 30 25 33 41 32 33 25 33 41 35 37 25 32 30 33 25   0%3A23%3A57%203%
> > 060 : 32 30 32 34 30 26 6E 73 3D 6D 73 6E 70 6F 72 74   20240&ns=msnport
> > 070 : 61 6C 26 70 61 67 65 4E 61 6D 65 3D 56 45 25 32   al&pageName=VE%2
> > 080 : 30 25 37 43 25 32 30 48 6F 6D 65 25 32 30 50 61   0%7C%20Home%20Pa
> > 090 : 67 65 26 67 3D 68 74 74 70 25 33 41 2F 2F 6C 6F   ge&g=http%3A//lo
> > 0a0 : 63 61 6C 2E 6C 69 76 65 2E 63 6F 52 4D 44 20 73   cal.live.coRMD s
> > 0b0 : 61 72 63 61 78 78 6F 0D 0A                        arcaxxo..
> >
> > --
> > Eric J. Bowser
> > Bright.Net NE / Doylestown Communications, Inc.
> > 800-535-6423 toll-free
> > www.neobright.net
> > www.doyestowncommunications.com
> >
> > ?Providing advanced communications since 1899.?
> >
> >
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share your
> > opinions on IT & business topics through brief surveys -- and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users