This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Questions to the functionality of Snort

Hi all,

I have here ASL last version / patches.

For the information:

it is a question in the detail of servers in the DMZ.
Some servers in the DMZ have a Snort Sensor.

For example.

In the ASL IDS rules following things are not allowed (drop).

ISAPI .ida attempt // WEB-IIS cmd.exe access

The IDS  logging file of the ASL looks as follows.

2005:02:10-21:51:43 (none) snort[7290]: [1:1243:0] D WEB-IIS ISAPI .ida attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:3:1] (http_inspect) U ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:43 (none) snort[7290]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:44 (none) snort[7290]: [1:1243:0] D WEB-IIS ISAPI .ida attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:44 (none) snort[7290]: [119:3:1] (http_inspect) U ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:44 (none) snort[7290]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:47 (none) snort[7290]: [119:3:1] (http_inspect) U ENCODING  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80
2005:02:10-21:51:47 (none) snort[7290]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80

And the Snort Sensor in the DMZ sees following:

#2025-(4-47325)        [cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida access        2005-02-10 21:51:28        24.159.16.146:4825        192.168.100.31:80        TCP
#2026-(4-47324)        [cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida attempt        2005-02-10 21:51:28        24.159.16.146:4825        192.168.100.31:80        TCP
#2027-(4-47323)        [snort] (http_inspect) NON-RFC DEFINED CHAR   2005-02-10 21:51:25        24.159.16.146:4825        192.168.100.31:80        TCP
#2028-(4-47322)        [snort] WEB-IIS cmd.exe access

My issues to that:

Why does the Snort Sensor see said rules in the DMZ?
Why does IDS from ASL not see this action " WEB-IIS cmd.exe access"     ?

Thx

Stefan

This thread was automatically locked due to age.

Parents

0 William Warren over 20 years ago

ASL 5 by default routes all traffic through the ids. Unless you do not want the traffic to the DMZ checked for malicious activity i would leave it that way. If you do not want the IDS to scan the DMZ then in the allowed network add your internal and external interfaces and the dmz will not be scanned.
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to William Warren

Hmm William,

I would already like that IDS ASL controls my DMZ.
For this purpose the DMZ is in the local net.

I am surprised only at following:

IDS ASL
2005:02:10-21:51:43 (none) snort[7290]: [1:1243:0] D WEB-IIS ISAPI .ida attempt [Classification: Web Application Attack] [Priority: 1]:  {PROTO006} 24.159.16.146:4825 -> 192.168.100.31:80

You  see [1:1243:0] "D", for me the drop means.
But why does the Snort Sensor  see also this thing in the DMZ ?

And why does IDS ASL not see this?

#2028-(4-47322) [snort] WEB-IIS cmd.exe access

Stefan
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to William Warren

und the result?
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 20 years ago in reply to StefanS_01

if hte packet is dropped it is thrown away. Then snort logs it telling you it caught the bad packet and threw it away. This means that malicious traffic never made it to your dmz which is a good thing.
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to William Warren

I already understood.

But why a Snort Sensor sees, that on a server in the DMZ is installed, the same one Rule violation?

look at the beginning of the thread
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 20 years ago in reply to StefanS_01

do you have snort running on the machine in the dmz?
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to William Warren

yes
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 20 years ago in reply to StefanS_01

something is not configured right i think..or there is a massive hole in the IDS. Let's check the settings to rule out #1.

what do you have setup in the global settings? Is local networks blank?

Then under rules:
Which groups do you have turned on..and are those groups on alert or drop?
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to William Warren

OK, step by step.

IDS ASL Settings:

Local Network,

DMZ, Internal, ISDN-Network

Advance Setting

all http-Servers, dns-Servers etc (most in the DMZ).

Info:

the destination Adress from the example is a http-server.

corresponding rule is acting, otherwise no "drop" would come.

Stefan
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 20 years ago in reply to StefanS_01

[ QUOTE ]
OK, step by step.

IDS ASL Settings:

Local Network,

DMZ, Internal, ISDN-Network

Advance Setting

all http-Servers, dns-Servers etc (most in the DMZ).

Info:

the destination Adress from the example is a http-server.

corresponding rule is acting, otherwise no "drop" would come.

Stefan

[/ QUOTE ]
Ok in the performance tuning i would empty everything out. In the local networks empty it out.
In the rules groups(which was not specified) I am assuming you have all web groups actiavated and changed to alert(yellow triange with an exclamation point)..you may have to change those to drop. If they are already on drop then please disregard this statement.
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to William Warren

I will test that once.
But why local network empty?

There is a tool with that I the rules can test?
I think there of "Nessus" of the Web // Internet to our server, you know a URL ?
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 20 years ago in reply to StefanS_01

emptying local networks guarentees all traffic goes through the ids..[:)]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 William Warren over 20 years ago in reply to StefanS_01

emptying local networks guarentees all traffic goes through the ids..[:)]
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data