[Snort-users] Snort only partially alerting

Frank Calone

unread,

Jun 18, 2013, 5:14:59 PM6/18/13

to

I still don't have a fix yet to the problem of Snort only alerting occasionally. I have it setup to look for exe downloads using just 2 rules. I have a web site setup to download (not https) an exe file. I decided to run snort in full packet logger mode to see what was coming in (/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h x.x.x.x/16). I immediately started getting the following warning messages:

(snort_decoder) WARNING: IP dgm len > captured len

I then ran the binary capture thru the snort playback (-dvr option). Looking at the packets tied to my PC, I can see that almost all of them have a datagram length of 40. Very few packets showed up with a real payload, certainly not enough to amount to the size of the file I downloaded during the testing. I'm not sure if there is a config setting or something else going wrong here such that very few packets have any real data. Here is a sample of what I am seeing:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/18-16:20:19.229724 15.0.0.18:62287 -> 212.13.197.229:80
TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3279955A Ack: 0xEF27E0F7 Win: 0x4029 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Frank

James Lay

unread,

Jun 18, 2013, 6:13:15 PM6/18/13

to

On 2013-06-18 15:14, Frank Calone wrote:
> I still dont have a fix yet to the problem of Snort only alerting

> occasionally. I have it setup to look for exe downloads using just 2
> rules. I have a web site setup to download (not https) an exe
> file. I decided to run snort in full packet logger mode to see what
> was coming in (/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h
> x.x.x.x/16). I immediately started getting the following warning
> messages:
>
> (snort_decoder) WARNING: IP dgm len > captured len
>
> I then ran the binary capture thru the snort playback (-dvr option).
> Looking at the packets tied to my PC, I can see that almost all of
> them have a datagram length of 40. Very few packets showed up with a
> real payload, certainly not enough to amount to the size of the file
> I

> downloaded during the testing. Im not sure if there is a config

> setting or something else going wrong here such that very few packets
> have any real data. Here is a sample of what I am seeing:
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>

> 06/18-16:20:19.229724 15.0.0.18:62287 [1] -> 212.13.197.229:80 [2]

> TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x3279955A Ack: 0xEF27E0F7 Win: 0x4029 TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> Frank

Frank,

Try capturing with tshark or tcpdump (use -s 0 for tcpdump to capture
the full packet. Then, after capturing, run it through snort with
something like:

sudo snort -c snort.conf -r bleh.pcap -k none

James

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Frank Calone

unread,

Jun 21, 2013, 11:01:06 AM6/21/13

to

1) In my continuing efforts to figure out why Snort misses nearly all of the exe downloads I performed a TCPDUMP on the same interface to ensure the traffic is there that I am expecting to have Snort alert on. Here is the latest. I had TCPDUMP already installed on our Centos system and so I enabled packet capture with the following command:

tcpdump -i p1p1 -N -w tcpdump.jun20.v3.pcap src 15.8.5.18 or dst 15.8.5.18

2) I started snort as follows:

/usr/sbin/snort -A fast -d -i p1p1 -u snort -g snort -c /etc/snort/snort1.conf -l /var/log/snort2 -G 1

3) I then downloaded putty.exe from www.chiark.greenend.org.uk.

4) I then aborted both TCPDUMP and SNORT. I checked the alert file in /var/log/snort2 to see if an alert showed up. No hits.

5) I ran the tcpdump.jun20.v3.pcap file thru snort as follows:

snort -dvr tcpdump.jun20.v3.pcap > testtcpd.jun20.v3

6) I reviewed the file (testtcpd.jun20.v3) and found this entry showing the network tap indeed is working fine as the Snort "content" string search value (This program cannot be run in DOS mode) is plainly visible:

06/20-13:47:35.769947 46.43.34.31:80 -> 15.8.5.18:56416 TCP TTL:50 TOS:0x0 ID:61603 IpLen:20 DgmLen:1500 DF

***A**** Seq: 0x3940EBD2 Ack: 0x51CD46B3 Win: 0x42 TcpLen: 20

48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.

0A 44 61 74 65 3A 20 54 68 75 2C 20 32 30 20 4A .Date: Thu, 20 J

75 6E 20 32 30 31 33 20 31 37 3A 34 37 3A 33 35 un 2013 17:47:35

20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Server: Ap

61 63 68 65 0D 0A 4C 61 73 74 2D 4D 6F 64 69 66 ache..Last-Modif

69 65 64 3A 20 53 61 74 2C 20 31 30 20 44 65 63 ied: Sat, 10 Dec

20 32 30 31 31 20 31 33 3A 33 38 3A 33 37 20 47 2011 13:38:37 G

4D 54 0D 0A 45 54 61 67 3A 20 22 31 36 34 30 34 MT..ETag: "16404

30 37 2D 37 36 30 30 30 2D 34 62 33 62 64 30 34 07-76000-4b3bd04

63 34 33 31 34 30 22 0D 0A 41 63 63 65 70 74 2D c43140"..Accept-

52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 43 Ranges: bytes..C 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34 ontent-Length: 4

38 33 33 32 38 0D 0A 4B 65 65 70 2D 41 6C 69 76 83328..Keep-Aliv

65 3A 20 74 69 6D 65 6F 75 74 3D 31 35 2C 20 6D e: timeout=15, m

61 78 3D 39 39 0D 0A 43 6F 6E 6E 65 63 74 69 6F ax=99..Connectio 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 n: Keep-Alive..C 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 ontent-Type: app 6C 69 63 61 74 69 6F 6E 2F 78 2D 6D 73 64 6F 73 lication/x-msdos 2D 70 72 6F 67 72 61 6D 0D 0A 0D 0A 4D 5A 90 00 -program....MZ..

03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 ................

00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 ....@...........

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E ................

00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 ....!..L.!This p

72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 rogram cannot be

20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 run in DOS mode

2E 0D 0D 0A 24 00 00 00 00 00 00 00 6D 1F 98 6B ....$.......m..k

29 7E F6 38 29 7E F6 38 29 7E F6 38 3A 76 9F 38 )~.8)~.8)~.8:v.8 2B 7E F6 38 2C 72 96 38 2B 7E F6 38 2C 72 F9 38 +~.8,r.8+~.8,r.8

32 7E F6 38 3A 76 AB 38 2B 7E F6 38 D3 5D EF 38 2~.8:v.8+~.8.].8 2D 7E F6 38 AA 76 AB 38 38 7E F6 38 29 7E F7 38 -~.8.v.88~.8)~.8

04 7F F6 38 2C 72 A9 38 95 7E F6 38 C5 75 A8 38 ...8,r.8.~.8.u.8

28 7E F6 38 2C 72 AC 38 28 7E F6 38 52 69 63 68 (~.8,r.8(~.8Rich

29 7E F6 38 00 00 00 00 00 00 00 00 00 00 00 00 )~.8............

7) Here is the output when I aborted the Snort process (run in foreground)

Packet I/O Totals:

Received: 1278250

Analyzed: 1278244 (100.000%)

Dropped: 0 ( 0.000%)

Filtered: 0 ( 0.000%)

Outstanding: 6 ( 0.000%)

Injected: 0

===============================================================================

Breakdown by protocol (includes rebuilt packets):

Eth: 1281819 (100.000%)

VLAN: 0 ( 0.000%)

IP4: 1281734 ( 99.993%)

Frag: 58 ( 0.005%)

ICMP: 901 ( 0.070%)

UDP: 35748 ( 2.789%)

TCP: 922437 ( 71.963%)

IP6: 32 ( 0.002%)

IP6 Ext: 32 ( 0.002%)

IP6 Opts: 0 ( 0.000%)

Frag6: 0 ( 0.000%)

ICMP6: 32 ( 0.002%)

UDP6: 0 ( 0.000%)

TCP6: 0 ( 0.000%)

Teredo: 8 ( 0.001%)

ICMP-IP: 0 ( 0.000%)

IP4/IP4: 0 ( 0.000%)

IP4/IP6: 24 ( 0.002%)

IP6/IP4: 0 ( 0.000%)

IP6/IP6: 0 ( 0.000%)

GRE: 0 ( 0.000%)

GRE Eth: 0 ( 0.000%)

GRE VLAN: 0 ( 0.000%)

GRE IP4: 0 ( 0.000%)

GRE IP6: 0 ( 0.000%)

GRE IP6 Ext: 0 ( 0.000%)

GRE PPTP: 0 ( 0.000%)

GRE ARP: 0 ( 0.000%)

GRE IPX: 0 ( 0.000%)

GRE Loop: 0 ( 0.000%)

MPLS: 0 ( 0.000%)

ARP: 18 ( 0.001%)

IPX: 0 ( 0.000%)

Eth Loop: 0 ( 0.000%)

Eth Disc: 0 ( 0.000%)

IP4 Disc: 322566 ( 25.165%)

IP6 Disc: 0 ( 0.000%)

TCP Disc: 0 ( 0.000%)

UDP Disc: 0 ( 0.000%)

ICMP Disc: 0 ( 0.000%)

All Discard: 322566 ( 25.165%)

Other: 67 ( 0.005%)

Bad Chk Sum: 326 ( 0.025%)

Bad TTL: 0 ( 0.000%)

S5 G 1: 2314 ( 0.181%)

S5 G 2: 1261 ( 0.098%)

Total: 1281819

===============================================================================

Action Stats:

Alerts: 0 ( 0.000%)

Logged: 0 ( 0.000%)

Passed: 0 ( 0.000%)

Limits:

Match: 0

Queue: 0

Log: 0

Event: 0

Alert: 0

Verdicts:

Allow: 1189531 ( 93.059%)

Block: 0 ( 0.000%)

Replace: 0 ( 0.000%)

Whitelist: 88713 ( 6.940%)

Blacklist: 0 ( 0.000%)

Ignore: 0 ( 0.000%)

===============================================================================

Frag3 statistics:

Total Fragments: 58

Frags Reassembled: 0

Discards: 0

Memory Faults: 0

Timeouts: 0

Overlaps: 0

Anomalies: 0

Alerts: 0

Drops: 0

FragTrackers Added: 58

FragTrackers Dumped: 58

FragTrackers Auto Freed: 0

Frag Nodes Inserted: 58

Frag Nodes Deleted: 58

===============================================================================

Stream5 statistics:

Total sessions: 24790

TCP sessions: 19331

UDP sessions: 5459

ICMP sessions: 0

IP sessions: 0

TCP Prunes: 0

UDP Prunes: 0

ICMP Prunes: 0

IP Prunes: 0

TCP StreamTrackers Created: 19522

TCP StreamTrackers Deleted: 19522

TCP Timeouts: 0

TCP Overlaps: 39

TCP Segments Queued: 115887

TCP Segments Released: 115887

TCP Rebuilt Packets: 39102

TCP Segments Used: 95388

TCP Discards: 262728

TCP Gaps: 6707

UDP Sessions Created: 5459

UDP Sessions Deleted: 5459

UDP Timeouts: 0

UDP Discards: 0

Events: 133590

Internal Events: 0

TCP Port Filter

Dropped: 0

Inspected: 0

Tracked: 918536

UDP Port Filter

Dropped: 0

Inspected: 24930

Tracked: 5459

===============================================================================

HTTP Inspect - encodings (Note: stream-reassembled packets included):

POST methods: 172

GET methods: 12647

HTTP Request Headers extracted: 12858

HTTP Request Cookies extracted: 6798

Post parameters extracted: 171

HTTP response Headers extracted: 9755

HTTP Response Cookies extracted: 1380

Unicode: 247

Double unicode: 0

Non-ASCII representable: 15

Directory traversals: 0

Extra slashes ("//"): 2237

Self-referencing paths ("./"): 0

HTTP Response Gzip packets extracted: 1457

Gzip Compressed Data Processed: 3087532.00

Gzip Decompressed Data Processed: 9451498.00

Total packets processed: 377200

===============================================================================

SMTP Preprocessor Statistics

Total sessions : 28

Max concurrent sessions : 3

Base64 attachments decoded : 2

Total Base64 decoded bytes : 1676

Quoted-Printable attachments decoded : 3

Total Quoted decoded bytes : 1133

UU attachments decoded : 0

Total UU decoded bytes : 0

Non-Encoded MIME attachments extracted : 10

Total Non-Encoded MIME bytes extracted : 2066

===============================================================================

dcerpc2 Preprocessor Statistics

Total sessions: 300

Total sessions autodetected: 124

Total sessions aborted: 164

Transports

SMB

Total sessions: 117

Packet stats

Packets: 218

Ignored bytes: 2635

Not NBSS Session Message: 2

Not IPC packets (after tree connect): 1

Maximum outstanding requests: 1

SMB command requests/responses processed

Negotiate (0x72) : 85/37

Session Setup AndX (0x73) : 2/2

Tree Connect AndX (0x75) : 1/1

TCP

Total sessions: 183

Packet stats

Packets: 2538

DCE/RPC

Connection oriented

Packet stats

PDUs: 2538

Bind: 136

Bind Ack: 136

Alter context: 68

Alter context response: 68

Request: 1057

Response: 992

Auth3: 80

Orphaned: 1

Request fragments: 1

Min fragment size: 0

Max fragment size: 0

Frag reassembled: 0

Response fragments: 0

Client PDU segmented reassembled: 0

Server PDU segmented reassembled: 0 ===============================================================================

SSL Preprocessor:

SSL packets decoded: 15811

Client Hello: 2833

Server Hello: 1528

Certificate: 393

Server Done: 5354

Client Key Exchange: 1601

Server Key Exchange: 117

Change Cipher: 5428

Finished: 0

Client Application: 3061

Server Application: 1645

Alert: 622

Unrecognized records: 4780

Completed handshakes: 0

Bad handshakes: 0

Sessions ignored: 1642

Detection disabled: 301

===============================================================================

SIP Preprocessor Statistics

Total sessions: 163

SIP anomalies : 11

Requests: 0

invite: 0

cancel: 0

ack: 0

bye: 0

register: 0

options: 0

refer: 0

subscribe: 0

update: 0

join: 0

info: 0

message: 0

notify: 0

prack: 0

Responses: 0

1xx: 0

2xx: 0

3xx: 0

4xx: 0

5xx: 0

6xx: 0

7xx: 0

8xx: 0

9xx: 0

Ignore sessions: 0

Ignore channels: 0

===============================================================================

Reputation Preprocessor Statistics

Total Memory Allocated: 0

===============================================================================

Snort exiting

8) Here is the rule that should have detected this. I am only running 2 rules at this time.

alert tcp ![128.131.0.0/16] !20 -> $HOME_NET any (msg:"exe downloaded"; content:"This program cannot be run in DOS mode"; sid:1999998; rev:5;)

9) I tried running snort in the full packet logger mode (/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h x.x.x.x/16). I immediately started getting the following warning messages:

(snort_decoder) WARNING: IP dgm len > captured len

I then ran the binary capture thru the snort playback (-dvr option). Looking at the packets tied to my PC, I can see that almost all of them have a datagram length of 40. Very few packets showed up with a real payload, certainly not enough to amount to the size of the file I downloaded during the testing. I'm not sure if there is a config setting or something else going wrong here such that very few packets have any real data. Here is a sample of what I am seeing (the last two are in order they appeared in the dump file):

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/18-16:20:19.229724 15.8.5.18:62287 -> 212.13.197.229:80

TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF

***A**** Seq: 0x3279955A Ack: 0xEF27E0F7 Win: 0x4029 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/18-16:20:25.306989 212.13.197.229:80 -> 15. 8.5.18:62287

TCP TTL:44 TOS:0x0 ID:43106 IpLen:20 DgmLen:40 DF

***A***F Seq: 0xEF27E0F7 Ack: 0x3279955B Win: 0x5C TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/18-16:20:27.305825 212.13.197.229:80 -> 15.8.5.18:62285

TCP TTL:44 TOS:0x0 ID:3711 IpLen:20 DgmLen:40 DF

***A***F Seq: 0x53804DD1 Ack: 0x77F4A813 Win: 0x5C TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/18-16:20:27.306281 15.8.5.18:62285 -> 212.13.197.229:80

TCP TTL:127 TOS:0x0 ID:9849 IpLen:20 DgmLen:40 DF

***A**** Seq: 0x77F4A813 Ack: 0x53804DD2 Win: 0x4029 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/18-16:20:34.312205 212.13.197.229:80 -> 15.8.5.18:62286

TCP TTL:44 TOS:0x0 ID:50990 IpLen:20 DgmLen:40 DF

***A***F Seq: 0x3FC527C5 Ack: 0xCF59BF2B Win: 0x83 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

I'm looking for suggestions on what is broken or what to try next to get this resolved. Our server is Centos

(2.6.32-358.6.2.el6.x86_64) with 4 GB memory. I set the stream5 memcap to 1 GB (1073741824), maxtcp 393216 in the config file. Perfmon shows 90% CPU avail and max memory used at any point of 250 MB. Snort Build shows the following:

,,_ -*> Snort! <*-

o" )~ Version 2.9.4.5 GRE (Build 71)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

Using libpcap version 1.0.0

Using PCRE version: 7.8 2008-09-05

Using ZLIB version: 1.2.3

Frank

Joel Esler

unread,

Jun 21, 2013, 11:03:59 AM6/21/13

to

Can you send me the pcap off list?

Joel Esler

unread,

Jun 21, 2013, 11:04:43 AM6/21/13

to

On Jun 21, 2013, at 11:01 AM, Frank Calone <fc100...@gmail.com> wrote:

All Discard:       322566 ( 25.165%)
      Other:           67 ( 0.005%)
Bad Chk Sum:          326 ( 0.025%)

I'm asking for the pcap, as this concerns me.

Joel Esler

unread,

Jun 21, 2013, 3:19:52 PM6/21/13

to

Frank, I took a look at the pcap you sent me and these are the alerts I received when I ran the pcap:

06/20-13:47:35.353332 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP}

06/20-13:47:35.560161 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP}

06/20-13:47:35.769947 [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc activity] [Priority: 3] {TCP}

06/20-13:47:35.769947 [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP}

My Snort.conf can be found here: http://www.snort.org/vrt/snort-conf-configurations/

I stripped off the IPs at the end

So when I looked at the pcap I noticed there were a ton of incorrect checksums (the cut at the end of the statement is intended to strip out IPs):

$ tcpdump -r tcpdump.jun20.v3.pcap -vv | grep incorrect | cut -f2 -d:

Flags [.], cksum 0x44cd (incorrect -> 0x0172), seq 3485

Flags [.], cksum 0x44cd (incorrect -> 0x104b), seq 19545

Flags [P.], cksum 0x44cd (incorrect -> 0xc4e0), seq 38525

Flags [.], cksum 0x4a81 (incorrect -> 0xa44d), seq 41445

Flags [.], cksum 0x44cd (incorrect -> 0xf3a2), seq 45825

Flags [.], cksum 0x5035 (incorrect -> 0x647f), seq 48745

Flags [.], cksum 0x4a81 (incorrect -> 0x0ee7), seq 56045

Flags [.], cksum 0x44cd (incorrect -> 0xf978), seq 64805

Flags [.], cksum 0x4a81 (incorrect -> 0x050f), seq 79405

Flags [.], cksum 0x44cd (incorrect -> 0x2969), seq 83785

Flags [.], cksum 0x44cd (incorrect -> 0x25d5), seq 92545

Flags [.], cksum 0x4a81 (incorrect -> 0x2962), seq 95465

Flags [.], cksum 0x44cd (incorrect -> 0x001d), seq 129045

Flags [.], cksum 0x44cd (incorrect -> 0x8619), seq 148025

Flags [.], cksum 0x44cd (incorrect -> 0xc65d), seq 152405

Flags [.], cksum 0x4a81 (incorrect -> 0x0fc3), seq 174305

Flags [.], cksum 0x44cd (incorrect -> 0x9a82), seq 180145

Flags [.], cksum 0x44cd (incorrect -> 0x4cac), seq 183065

Flags [.], cksum 0x44cd (incorrect -> 0x3fdf), seq 193285

Flags [.], cksum 0x44cd (incorrect -> 0x31a0), seq 197665

Flags [.], cksum 0x44cd (incorrect -> 0xc5d8), seq 216645

Flags [.], cksum 0x4a81 (incorrect -> 0x0fa6), seq 223945

Flags [.], cksum 0x44cd (incorrect -> 0xf8f4), seq 240005

Flags [.], cksum 0x44cd (incorrect -> 0xe1ca), seq 261905

Flags [.], cksum 0x44cd (incorrect -> 0xf3d0), seq 269205

Flags [.], cksum 0x44cd (incorrect -> 0xdcb6), seq 272125

Flags [.], cksum 0x4a81 (incorrect -> 0x3841), seq 279425

Flags [P.], cksum 0x44cd (incorrect -> 0x2c66), seq 283805

Flags [.], cksum 0x44cd (incorrect -> 0x007f), seq 291105

Flags [.], cksum 0x44cd (incorrect -> 0x73ea), seq 302785

Flags [.], cksum 0x44cd (incorrect -> 0xcb65), seq 305705

Flags [.], cksum 0x44cd (incorrect -> 0xc839), seq 310085

Flags [.], cksum 0x44cd (incorrect -> 0x2080), seq 323225

Flags [.], cksum 0x44cd (incorrect -> 0x4970), seq 327605

Flags [.], cksum 0x44cd (incorrect -> 0x2909), seq 331985

Flags [.], cksum 0x4a81 (incorrect -> 0xff42), seq 339285

Flags [.], cksum 0x4a81 (incorrect -> 0xdc3d), seq 343665

Flags [.], cksum 0x44cd (incorrect -> 0x1557), seq 348045

Flags [.], cksum 0x6705 (incorrect -> 0x8ce1), seq 356805

Flags [.], cksum 0x4a81 (incorrect -> 0x23bb), seq 368485

Flags [.], cksum 0x44cd (incorrect -> 0xba3c), seq 402065

Flags [.], cksum 0x44cd (incorrect -> 0x9696), seq 418125

Flags [.], cksum 0x4a81 (incorrect -> 0xef8c), seq 421045

Flags [.], cksum 0x4a81 (incorrect -> 0xda29), seq 428345

Flags [P.], cksum 0x44cd (incorrect -> 0xe4c1), seq 434185

Flags [.], cksum 0x44cd (incorrect -> 0x91e7), seq 437105

Flags [.], cksum 0x44cd (incorrect -> 0x9e95), seq 442945

Flags [.], cksum 0x4a81 (incorrect -> 0x8aaf), seq 445865

Flags [.], cksum 0x44cd (incorrect -> 0x08ac), seq 454625

Flags [.], cksum 0x44cd (incorrect -> 0x1815), seq 457545

Flags [.], cksum 0x44cd (incorrect -> 0xba15), seq 467765

Flags [.], cksum 0x44cd (incorrect -> 0xc270), seq 470685

Flags [.], cksum 0x44cd (incorrect -> 0x8612), seq 475065

Flags [.], cksum 0x44cd (incorrect -> 0xd14c), seq 479445

Flags [P.], cksum 0x4089 (incorrect -> 0xccaa), seq 482365

When I corrected the checksums on the file you sent me:

06/20-13:47:35.353332 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP}

06/20-13:47:35.560161 [**] [1:16425:15] FILE-IDENTIFY Portable Executable binary file download request [**] [Classification: Misc activity] [Priority: 3] {TCP}

06/20-13:47:35.769947 [**] [1:25514:1] FILE-IDENTIFY Portable Executable download detected [**] [Classification: Misc activity] [Priority: 3] {TCP}

06/20-13:47:35.769947 [**] [1:25515:1] FILE-IDENTIFY Portable Executable binary file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP}

06/20-13:47:42.628989 [**] [1:20486:10] FILE-IDENTIFY RTF file magic detected [**] [Classification: Misc activity] [Priority: 3] {TCP}

again, with stripped out IPs

Either way I get alerts, but the second time I got an alert for RTF file magic as well, so it's quite obvious that the checksums are having some kind of affect over there.

Try running Snort with "-k none" added to your command line to turn off checksum validation and see if you get an alert.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

Frank Calone

unread,

Jun 21, 2013, 4:08:45 PM6/21/13

to

Joel,

I have already tried running Snort using the "-k none" option as was recommended earlier this week. I still got no alerts. I tried testing an exe download and had snort in full packet capture mode. I looked at the packets after doing a -dvr just for my PC and there simply is little there that looks at all like what the TCPDUMP process captured (virtually no payloads like you see in the pcap file). would the Checksum problem explain all the discards you noted? The "bad chk sum" from the statistics showed just 326 events for .025%. That number to me looks very small then as it is not even 1%. If you want me to rerun with -k none option again, I will do that. Should I do any kind of other logging at the same time or use other options to help diagnose?

Frank.

Joel Esler

unread,

Jun 21, 2013, 4:40:42 PM6/21/13

to

On Jun 21, 2013, at 4:08 PM, Frank Calone <fc100...@gmail.com> wrote:

I have already tried running Snort using the "-k none" option as was recommended earlier this week. I still got no alerts. I tried testing an exe download and had snort in full packet capture mode. I looked at the packets after doing a -dvr just for my PC and there simply is little there that looks at all like what the TCPDUMP process captured (virtually no payloads like you see in the pcap file). would the Checksum problem explain all the discards you noted? The "bad chk sum" from the statistics showed just 326 events for .025%. That number to me looks very small then as it is not even 1%. If you want me to rerun with -k none option again, I will do that. Should I do any kind of other logging at the same time or use other options to help diagnose?

Turn off all rules except the file-identify category, run with the configuration file that I pointed to in my previous email. Add `-k none`.

Run with -b in the command line (to output to pcap file), see what you get from there.

Sounds like something isn't right somewhere.