Thread: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

Brought to you by: count_zero_rod, redmaze, vicjul78

snort-inline-users

[Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: <ni...@el...> - 2006-01-19 12:58:22

Hi, list
            following is my machine configuration

Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC...
Memory:- 1GB

The thing is after patching snort 2.3.3 with snort_inline patch... I have
2 different configuration for Stream4

1.) preprocessor stream4: disable_evasion_alerts

In this case my CPU is less than 10 % for a set of traffic

2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
134217728, timeout 3600, midstream_drop_alerts

In this case my CPU hits 50% at specific intervals don't know interval is
random or some specific..... :) with same set of traffic....

Is it due to the inline modifications in stream4 ????

Regards,
Nishit Shah.

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Victor J. <vi...@nk...> - 2006-01-19 13:21:39

ni...@el... wrote:
> Hi, list
>             following is my machine configuration
> 
> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC...
> Memory:- 1GB
> 
> The thing is after patching snort 2.3.3 with snort_inline patch... I have
> 2 different configuration for Stream4
> 
> 1.) preprocessor stream4: disable_evasion_alerts
> 
> In this case my CPU is less than 10 % for a set of traffic
> 
> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
> 134217728, timeout 3600, midstream_drop_alerts
> 
> In this case my CPU hits 50% at specific intervals don't know interval is
> random or some specific..... :) with same set of traffic....
> 
> Is it due to the inline modifications in stream4 ????

Yes, that is possible since stream4inline does a lot more work than 
normal stream4 (even in inline mode). This is because it constantly 
scans a reassembled buffer, which is more costly. However, you don't 
need to enable the stream4inline option to use stream4 in inline mode. I 
do however think that with the stream4inline option enabled, there is 
less chance that you miss an attack.

Regards,
Victor

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Will M. <wil...@gm...> - 2006-01-19 13:25:22

Of cource it is due to your stream4 configuration you are creating an
uber packet for every packet that you receive that is part of the
corresponding stream.  If you want to protect your systems against
session splicing attacks in InlineMode() this is the price you pay.=20
If you don't  care about session splicing turn it off.

Regards,

Will

On 1/19/06, ni...@el... <ni...@el...> wrote:
> Hi, list
>             following is my machine configuration
>
> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC..=
.
> Memory:- 1GB
>
> The thing is after patching snort 2.3.3 with snort_inline patch... I have
> 2 different configuration for Stream4
>
> 1.) preprocessor stream4: disable_evasion_alerts
>
> In this case my CPU is less than 10 % for a set of traffic
>
> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
> 134217728, timeout 3600, midstream_drop_alerts
>
> In this case my CPU hits 50% at specific intervals don't know interval is
> random or some specific..... :) with same set of traffic....
>
> Is it due to the inline modifications in stream4 ????
>
> Regards,
> Nishit Shah.
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: <ni...@el...> - 2006-01-23 10:55:50

Hi,


does Snort ruleset contains signatures that splice across the sessions ?
I am using default ruleset of Snort 2.3.3


Regards,
Nishit Shah.

> Of cource it is due to your stream4 configuration you are creating an
> uber packet for every packet that you receive that is part of the
> corresponding stream.  If you want to protect your systems against
> session splicing attacks in InlineMode() this is the price you pay.
> If you don't  care about session splicing turn it off.
>
> Regards,
>
> Will
>
> On 1/19/06, ni...@el... <ni...@el...> wrote:
>> Hi, list
>>             following is my machine configuration
>>
>> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb
>> NIC...
>> Memory:- 1GB
>>
>> The thing is after patching snort 2.3.3 with snort_inline patch... I
>> have
>> 2 different configuration for Stream4
>>
>> 1.) preprocessor stream4: disable_evasion_alerts
>>
>> In this case my CPU is less than 10 % for a set of traffic
>>
>> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
>> 134217728, timeout 3600, midstream_drop_alerts
>>
>> In this case my CPU hits 50% at specific intervals don't know interval
>> is
>> random or some specific..... :) with same set of traffic....
>>
>> Is it due to the inline modifications in stream4 ????
>>
>> Regards,
>> Nishit Shah.
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
>> files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Will M. <wil...@gm...> - 2006-01-23 13:05:03

It is fairly trivial to splice an attack across multiple packets.=20
Download Nikto and take a look at the IDS evasion techniques or.

There is  good paper in the sans reading room and a perl script to
splice tcp sessions at.

http://www.sans.org/resources/idfaq/sess_splicing.php

Regards,

Will


On 1/23/06, ni...@el... <ni...@el...> wrote:
> Hi,
>
>
> does Snort ruleset contains signatures that splice across the sessions ?
> I am using default ruleset of Snort 2.3.3
>
>
> Regards,
> Nishit Shah.
>
> > Of cource it is due to your stream4 configuration you are creating an
> > uber packet for every packet that you receive that is part of the
> > corresponding stream.  If you want to protect your systems against
> > session splicing attacks in InlineMode() this is the price you pay.
> > If you don't  care about session splicing turn it off.
> >
> > Regards,
> >
> > Will
> >
> > On 1/19/06, ni...@el... <ni...@el...> wrote:
> >> Hi, list
> >>             following is my machine configuration
> >>
> >> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb
> >> NIC...
> >> Memory:- 1GB
> >>
> >> The thing is after patching snort 2.3.3 with snort_inline patch... I
> >> have
> >> 2 different configuration for Stream4
> >>
> >> 1.) preprocessor stream4: disable_evasion_alerts
> >>
> >> In this case my CPU is less than 10 % for a set of traffic
> >>
> >> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memca=
p
> >> 134217728, timeout 3600, midstream_drop_alerts
> >>
> >> In this case my CPU hits 50% at specific intervals don't know interval
> >> is
> >> random or some specific..... :) with same set of traffic....
> >>
> >> Is it due to the inline modifications in stream4 ????
> >>
> >> Regards,
> >> Nishit Shah.
> >>
> >>
> >>
> >>
> >> -------------------------------------------------------
> >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> >> files
> >> for problems?  Stop!  Download the new AJAX search engine that makes
> >> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK=
!
> >> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&da=
t=3D121642
> >> _______________________________________________
> >> Snort-inline-users mailing list
> >> Sno...@li...
> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> > files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=12164=
2
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>
>

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Gulfie <gu...@gr...> - 2006-01-23 13:17:52

On Thu, Jan 19, 2006 at 06:18:30PM +0530, ni...@el... wrote:
> Hi, list
>             following is my machine configuration
> 
> Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC...
> Memory:- 1GB
> 
> The thing is after patching snort 2.3.3 with snort_inline patch... I have
> 2 different configuration for Stream4
> 
> 1.) preprocessor stream4: disable_evasion_alerts
> 
> In this case my CPU is less than 10 % for a set of traffic
> 
> 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
> 134217728, timeout 3600, midstream_drop_alerts
> 
> In this case my CPU hits 50% at specific intervals don't know interval is
> random or some specific..... :) with same set of traffic....
 
	Where are you getting the traffic from?

> Is it due to the inline modifications in stream4 ????
> 
> Regards,
> Nishit Shah.


					-gulfie

Re: [Snort-inline-users] Hi CPU with inline patch against Snort 2.3.3

From: Will M. <wil...@gm...> - 2006-01-23 13:48:41

Not only that, what options are you passing to stream4_reassemble:

Regards,

Will

On 1/23/06, Gulfie <gu...@gr...> wrote:
> On Thu, Jan 19, 2006 at 06:18:30PM +0530, ni...@el... wrote:
> > Hi, list
> >             following is my machine configuration
> >
> > Intel(R) Celeron(R) CPU 2.00GHz with 128KB cache and intel 10/100Mb NIC=
...
> > Memory:- 1GB
> >
> > The thing is after patching snort 2.3.3 with snort_inline patch... I ha=
ve
> > 2 different configuration for Stream4
> >
> > 1.) preprocessor stream4: disable_evasion_alerts
> >
> > In this case my CPU is less than 10 % for a set of traffic
> >
> > 2.) preprocessor stream4: disable_evasion_alerts, stream4inline, memcap
> > 134217728, timeout 3600, midstream_drop_alerts
> >
> > In this case my CPU hits 50% at specific intervals don't know interval =
is
> > random or some specific..... :) with same set of traffic....
>
>         Where are you getting the traffic from?
>
> > Is it due to the inline modifications in stream4 ????
> >
> > Regards,
> > Nishit Shah.
>
>
>                                         -gulfie
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] change in 2.3.3 & 2.4.3 ?????????

From: <ni...@el...> - 2006-01-23 15:22:08

Hi,

for testing I have following rules in my experimental.rules file

alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)

and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
username as "nishit" (user nishit doesn't exists on telnet server !!!!!)
and after that I tried with username "root" & traffic hadn't blocked.....

In 2nd try I had done telnet on same machine & gave username as "root" &
my traffic blocked... ????????

Why ?????

Regards,
Nishit Shah.

[Snort-inline-users] Re: change in 2.3.3 & 2.4.3 ?????????

From: Will M. <wil...@gm...> - 2006-01-23 15:27:06

huh?

On 1/23/06, ni...@el... <ni...@el...> wrote:
> Hi,
>
> for testing I have following rules in my experimental.rules file
>
> alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
> drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)
>
> and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
> username as "nishit" (user nishit doesn't exists on telnet server !!!!!)
> and after that I tried with username "root" & traffic hadn't blocked.....
>
> In 2nd try I had done telnet on same machine & gave username as "root" &
> my traffic blocked... ????????
>
> Why ?????
>
> Regards,
> Nishit Shah.
>

[Snort-inline-users] Re: change in 2.3.3 & 2.4.3 ?????????

From: Will M. <wil...@gm...> - 2006-01-24 00:59:59

If you are saying that reassembly doesn't work.....


01/23-18:41:46.031945  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} y.y.y.y:44040 -> z.z.z.z:23
01/23-18:54:47.611362  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:54:48.962838  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:54:52.022800  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:54:58.142742  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602
01/23-18:55:10.365608  [**] [1:0:0] Nishit Test [**] [Priority: 0]
{TCP} z.z.z.z:23 -> y.y.y.y:38602

Drops on "t" in root  tried it in two different environments both
dropped successfully.

Regards,

Will
On 1/23/06, Will Metcalf <wil...@gm...> wrote:
> huh?
>
> On 1/23/06, ni...@el... <ni...@el...> wrote:
> > Hi,
> >
> > for testing I have following rules in my experimental.rules file
> >
> > alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
> > drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)
> >
> > and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
> > username as "nishit" (user nishit doesn't exists on telnet server !!!!!=
)
> > and after that I tried with username "root" & traffic hadn't blocked...=
..
> >
> > In 2nd try I had done telnet on same machine & gave username as "root" =
&
> > my traffic blocked... ????????
> >
> > Why ?????
> >
> > Regards,
> > Nishit Shah.
> >
>

Re: [Snort-inline-users] Re: change in 2.3.3 & 2.4.3 ?????????

From: <ni...@el...> - 2006-01-24 06:21:27

Attachments: snort_inline.conf

Well,
          After your comment, I have tried with snort 2.4.3 without
snort_inline patch & still i got the same result.... I am
attaching my snort_inline.conf file......So it is not something
related to reassenble but i think flushing things after an alert
or something like that......

I have changed lines in experimental.rules files with

alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
alert tcp any any -> any any (msg:"Nishit Test"; content:"root";)

and disabled stream4inline option... & still at the time of connection
close I got only one alert......

telnet 192.168.1.30

passwd : nishit
Invalid Passwd

passwd: root
Invalid Passwd

passwd: root
Invalid Passwd

Connection to host lost.

In above case as connection to host lost i got only 1 alert
01/24-11:43:51.433025  [**] [1:0:0] Nishit Test0 [**] [Priority: 0] {TCP}
192.168.1.76:1551 -> 192.168.1.30:23

After that I have tried following

telnet 192.168.1.30

passwd : root
Invalid Passwd

passwd: root
Invalid Passwd

passwd: root
Invalid Passwd

Connection to host lost.

and i got following alert
01/24-11:45:00.866990  [**] [1:0:0] Nishit Test [**] [Priority: 0] {TCP}
192.168.1.76:1556 -> 192.168.1.30:23

Now more interesting thing is....

telnet 192.168.1.30

passwd : root
Invalid Passwd

passwd: nishit
Invalid Passwd

passwd: root
Invalid Passwd

Connection to host lost.

and i got following alert
01/24-11:43:51.433025  [**] [1:0:0] Nishit Test0 [**] [Priority: 0] {TCP}
192.168.1.76:1551 -> 192.168.1.30:23

So i think some problem is with flusing........

Regards,
Nishit Shah.

> If you are saying that reassembly doesn't work.....
>
>
> 01/23-18:41:46.031945  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} y.y.y.y:44040 -> z.z.z.z:23
> 01/23-18:54:47.611362  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:54:48.962838  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:54:52.022800  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:54:58.142742  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
> 01/23-18:55:10.365608  [**] [1:0:0] Nishit Test [**] [Priority: 0]
> {TCP} z.z.z.z:23 -> y.y.y.y:38602
>
> Drops on "t" in root  tried it in two different environments both
> dropped successfully.
>
> Regards,
>
> Will
> On 1/23/06, Will Metcalf <wil...@gm...> wrote:
>> huh?
>>
>> On 1/23/06, ni...@el... <ni...@el...> wrote:
>> > Hi,
>> >
>> > for testing I have following rules in my experimental.rules file
>> >
>> > alert tcp any any -> any any (msg:"Nishit Test0"; content:"nishit";)
>> > drop tcp any any -> any any (msg:"Nishit Test"; content:"root";)
>> >
>> > and I had done telnet on 1 machine through snort_inline(2.4.3) & gave
>> > username as "nishit" (user nishit doesn't exists on telnet server
>> !!!!!)
>> > and after that I tried with username "root" & traffic hadn't
>> blocked.....
>> >
>> > In 2nd try I had done telnet on same machine & gave username as "root"
>> &
>> > my traffic blocked... ????????
>> >
>> > Why ?????
>> >
>> > Regards,
>> > Nishit Shah.
>> >
>>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>