PCAP analysis WARNINGS

[Tim Hofer]

Hey Guys,

actual i have some Problems with the analysis of PCAP's. My goal is to get the logs without using tcpreplay.
I know Bro and Snort both have functions for this purpose. Are there any experiences with it ?

When i run snort with a PCAP file than the following WARNING ist generated for nearly every packet:

WARNING: No preprocessors configured for policy 0.
03/31-22:35:01.779999 xxx.xxx.xxx.xxx:443 -> xxx.xxx.xxx.xxx:55496
TCP TTL:239 TOS:0x0 ID:12567 IpLen:20 DgmLen:306 DF
***AP*** Seq: 0x624A3DCB Ack: 0xE62123B1 Win: 0x175A TcpLen: 32
TCP Options (3) => NOP NOP TS: 3469726148 272270
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

What can i do ?

Tim

[Wes]

Tim,

Have you tried running Snort with the configuration file defined?

Ex. snort -c /etc/nsm/hostname-interface/snort.conf

http://stackoverflow.com/questions/29503344/snort-message-warning-no-preprocessors-configured-for-policy-0

Thanks,
Wes

[Tim Hofer]

Hey Wes,

yes this was the first solution i tried.
But the following Error occurred (appendix 1).
With sudo there occurred a Error, too (appendix 2)

[Wes Lambert]

You may need to stop the other Snort process, then do this, or copy the conf file, and run it from that.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Tim Hofer]

I test this immediately. Will post the result then. Thank you.

[Tim Hofer]

It sadly does not work

[Wes]

On Saturday, November 12, 2016 at 10:55:19 AM UTC-5, Tim Hofer wrote:
> It sadly does not work

Tim,

I can successfully do this with the following:

--Copy snort.conf file in /etc/nsm/hostname-interface/

"sudo cp /etc/nsm/hostname-interface/snort.conf /etc/nsm/hostname-interface/snort2.conf"

--Run snort

sudo snort -c /etc/nsm/hostname-interface/snort2.conf -r pcap.pcap

You could, of course, copy the conf file to another dir, but you would need to make sure you are able to access classification.config, etc -- I would try it like this first to see if it works and change it from there, if necessary.

Thanks,
Wes

[Wes]

To add, is there any reason you don't want to use tcpreplay?

Thanks,
Wes

[Tim Hofer]

i tried this way but still get a lot of output with warnings like this:

...
WARNING: flowbits key 'irc.start' is set but not ever checked.
WARNING: flowbits key 'ET.TorIP' is set but not ever checked.
WARNING: flowbits key 'file.crx' is set but not ever checked.
WARNING: flowbits key 'file.wri' is set but not ever checked.
WARNING: flowbits key 'file.abc' is set but not ever checked.
WARNING: flowbits key 'ET.Evil' is set but not ever checked.
WARNING: flowbits key 'file.esignal' is set but not ever checked.
WARNING: flowbits key 'file.qcp' is set but not ever checked.
WARNING: flowbits key 'file.rtx' is set but not ever checked.
WARNING: flowbits key 'file.s3m' is set but not ever checked.
...

and this is the end of output:

531 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 395
| 1 byte states : 372
| 2 byte states : 21
| 4 byte states : 2
| Characters : 528658
| States : 333270
| Transitions : 48163449
| State Density : 56.5%
| Patterns : 31939
| Match States : 31675
| Memory (MB) : 246.00
| Patterns : 3.45
| Match Lists : 11.20
| DFA
| 1 byte states : 2.74
| 2 byte states : 93.33
| 4 byte states : 134.59
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 5460 ]
ERROR: pfring DAQ does not support read-file.
Fatal Error, Quitting..

So i am not sure whats the problem. Perhaps because of my upgrade of Ubuntu and the Update (soup)?

The normal detection over the listening interface seems to work fine.

[Tim Hofer]

The reason is the time. I got many PCAP's with traffic captured over large amount of time. Is Snort able do process the traffic when i run tcpreplay with --topspeed ? Or will Snort drop packets ?

[Wes]

On Saturday, November 12, 2016 at 12:04:37 PM UTC-5, Tim Hofer wrote:
> The reason is the time. I got many PCAP's with traffic captured over large amount of time. Is Snort able do process the traffic when i run tcpreplay with --topspeed ? Or will Snort drop packets ?

I think tcpreplay would be easiest, and you wouldn't have to modify any files -- as far as dropping packets, I think that would be dependent on the amount of resources you have available and how well the sensor is tuned. You can tune PF_RING/IDS processes here:

https://github.com/Security-Onion-Solutions/security-onion/wiki/PF_RING

I'm not sure about the DAQ read-file error mentioned in your output -- if you can post the output of sostat-redacted (attached as a text file) for your machine, it may help to identify if there is something different with your installation of PF_RING, compared to what should be the currently installed version.

Thanks,
Wes

[Tim Hofer]

Thank you for the help! here is the Output of sostat-redacted.

[Wes]

On Saturday, November 12, 2016 at 12:24:45 PM UTC-5, Tim Hofer wrote:
> Thank you for the help! here is the Output of sostat-redacted.

Your pf_ring version looks okay -- I'm not sure why you would get that error (mine says pfring DAQ configured to passive). Do you see the same type of output in /var/log/nsm/hostname-interface/snortu-1.log?

I would check the log(s) to make sure the instance you have already have running is configured correctly.

Thanks,
Wes

[Wes]

Okay, I lied, I had a typo in my command. It did the same thing for me (pfring DAQ error). Your pf_ring version looks fine, however, you may want to follow the associated guidance for the large amount of ELSA buffers and ELSA Index Date Range.

You will need to tell it to use the pcap read-file DAQ mode as follows:

Add the following: --daq pcap --daq-mode read-file

and '-r pcap.pcap'

to the way snort is already run (should be able to find with 'ps aux | grep snort')

to get the following (or similar):

sudo snort --daq pcap --daq-mode read-file -c /etc/nsm/hostname-interface/snort.conf -r pcap.pcap -u sguil -g sguil -i eth1 -l /nsm/sensor_data/hostname-interface/snort-1 --perfmon-file /nsm/sensor_data/hostname-interface/snort1-stats -U --snaplen 1524

See if that works for you.

Thanks,
Wes

[Tim Hofer]

Wow that seems to work better ... but still not sure because i can not find the alerts in sguil :(

[Wes Lambert]

Are you pointing to the original snort configuration file?

On Nov 12, 2016 1:42 PM, "Tim Hofer" <tinmh...@gmail.com> wrote:

Wow that seems to work better ... but still not sure because i can not find the alerts in sguil :(

[Tim Hofer]

This is my command:

Nearly the same as yours but without -i eth1. This also wasn't in the 'ps aux | grep snort' version.

sudo snort --daq pcap --daq-mode read-file -c /etc/nsm/seconion-eth1/snort.conf -r byod.pcapng -u sguil -g sguil -i eth1 -l /nsm/sensor_data/seconion-eth1/snort-1 --perfmon-file /nsm/sensor_data/seconion-eth1/snort-1.stats -U --snaplen 1524 -N

As you can see i use the original one.

[Tim Hofer]

i was wrong the -i eth1 is in the command too
i will try it again :D:D:D ... Thank you so much

[Tim Hofer]

The process seems to work perfect but i cant see the logs.
Tried with squil and squert. You can look at the output in the file.

[Tim Hofer]

Okay i had a premonition which has proven to be true:D:D.. The pcap's were captured in the past... so with squert i was able to look for alerts in the past...6 month ago :D:D...and there i found my alerts with the timestamp from the pcap... i think now i can work with it :D...thank you so much :)