Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 25075 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Questions to the functionality of Snort

StefanS_01
Hi all,

I have here ASL last version / patches.

For the information:

it is a question in the detail of servers in the DMZ.
Some servers in the DMZ have a Snort Sensor.

For example.

In the ASL IDS rules following things are not allowed (drop).

ISAPI .ida attempt // WEB-IIS cmd.exe access 

The IDS  logging file of the ASL looks as follows.

2005:02:10-21:51:43 (none) snort[7290]: [1:1243:0] D WEB-IIS ISAPI .ida attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:3:1] (http_inspect) U ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:44 (none) snort[7290]: [1:1243:0] D WEB-IIS ISAPI .ida attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:44 (none) snort[7290]: [119:3:1] (http_inspect) U ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:44 (none) snort[7290]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:47 (none) snort[7290]: [119:3:1] (http_inspect) U ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:47 (none) snort[7290]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80

And the Snort Sensor in the DMZ sees following:

#2025-(4-47325)        [cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida access        2005-02-10 21:51:28        24.159.16.146:4825        192.168.100.31:80        TCP     
#2026-(4-47324)        [cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida attempt        2005-02-10 21:51:28        24.159.16.146:4825        192.168.100.31:80        TCP     
#2027-(4-47323)        [snort] (http_inspect) NON-RFC DEFINED CHAR   2005-02-10 21:51:25        24.159.16.146:4825        192.168.100.31:80        TCP     
#2028-(4-47322)        [snort] WEB-IIS cmd.exe access     

My issues to that:

Why does the Snort Sensor see said rules in the DMZ?
Why does IDS from ASL not see this action " WEB-IIS cmd.exe access"     ?

Thx

Stefan


This thread was automatically locked due to age.
Parents
  • 0
    ASL 5 by default routes all traffic through the ids.  Unless you do not want the traffic to the DMZ checked for malicious activity i would leave it that way.  If you do not want the IDS to scan the DMZ then in the allowed network add your internal and external interfaces and the dmz will not be scanned.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    Hmm William,

    I would already like that IDS ASL controls my DMZ.
    For this purpose the DMZ is in the local net.

    I am surprised only at following:

    IDS ASL
    2005:02:10-21:51:43 (none) snort[7290]: [1:1243:0] D WEB-IIS ISAPI .ida attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80

    You  see [1:1243:0] "D", for me the drop means.
    But why does the Snort Sensor  see also this thing in the DMZ ?

    And why does IDS ASL not see this?

    #2028-(4-47322) [snort] WEB-IIS cmd.exe access 

    Stefan
  • 0 in reply to StefanS_01
    if hte packet is dropped it is thrown away.  Then snort logs it telling you it caught the bad packet and threw it away.  This means that malicious traffic never made it to your dmz which is a good thing.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    I already understood.

    But why a Snort Sensor sees, that on a server in the DMZ is installed, the same one Rule violation?

    look at the beginning of the thread
  • 0 in reply to StefanS_01
    do you have snort running on the machine in the dmz?

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to StefanS_01
    something is not configured right i think..or there is a massive hole in the IDS.  Let's check the settings to rule out #1.

    what do you have setup in the global settings?  Is local networks blank?  

    Then under rules:
    Which groups do you have turned on..and are those groups on alert or drop?

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    OK, step by step.

    IDS ASL Settings:

    Local Network,

    DMZ, Internal, ISDN-Network

    Advance Setting

    all http-Servers, dns-Servers etc (most in the DMZ).

    Info:

    the destination Adress from the example is a http-server.

    corresponding rule is acting, otherwise no "drop" would come.

    Stefan
  • 0 in reply to StefanS_01
    [ QUOTE ]
    OK, step by step.

    IDS ASL Settings:

    Local Network,

    DMZ, Internal, ISDN-Network

    Advance Setting

    all http-Servers, dns-Servers etc (most in the DMZ).

    Info:

    the destination Adress from the example is a http-server.

    corresponding rule is acting, otherwise no "drop" would come.

    Stefan 

    [/ QUOTE ]
    Ok in the performance tuning i would empty everything out.  In the local networks empty it out.  
    In the rules groups(which was not specified) I am assuming you have all web groups actiavated and changed to alert(yellow triange with an exclamation point)..you may have to change those to drop.  If they are already on drop then please disregard this statement.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    I will test that once.
    But why local network empty?

    There is a tool with that I the rules can test?
    I think there of "Nessus" of the Web // Internet  to our server, you know a URL ?
  • 0 in reply to StefanS_01
    emptying local networks guarentees all traffic goes through the ids..[:)]

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Reply Children
No Data
Cookie Information Banner