problem with http_inspect_server interactions with rules

["Joe Patterson" <jpatterson () asgardgroup com>]

I've seen something that I *think* is an error, and is certainly undesired
behavior, with an interaction between http_inspect_server parameters and
some rules (I haven't tested many rules, I want to get this one working so
that I know what the core problem is).  I've tested this on snort 2.2.0
build 30 and 2.3.0RC1 Build 8, I'm using a linux 2.6.5 kernel running
gentoo.

I've got a pcap file
(http://www.asgardgroup.com/~jpatterson/snort/mydata.pcap) with two http GET
requests in it, and the responses to them (note that this is a completely
contrived example. I contrived it for the purpose of triggering two rules
for some unrelated event correllation work, and was surprised when snort
didn't give me the output I was expecting). I've also got a snort config
file (http://www.asgardgroup.com/~jpatterson/snort/mysnort.conf) containing
exactly two alert rules, and the variables and preprocessors necessary to
their correct operation.

The specific rules (from the current rulebase) are:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Cisco IOS HTTP configuration attempt"; flow:to_server,established;
uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936;
reference:cve,2001-0537; classtype:web-application-attack; sid:1250;
rev:11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES
directory listing"; flow:from_server,established; content:"Volume Serial
Number"; classtype:bad-unknown; sid:1292; rev:8;)

If I run the following command:

snort -c ./mysnort.conf -l . -r ./mydata.pcap -A full -k none

I get an alert output that contains only the two "WEB-MISC Cisco IOS HTTP
configuration attempt" entries.

Now, if I comment out the configuration line:

preprocessor http_inspect_server: server default profile all ports { 80 8080
8180 } oversize_dir_length 500

then I get a very different looking alert file that contains only the
"ATTACK-RESPONSES directory listing" alert.

I can't figure out for the life of me why that configuration option would
either enable the HTTP configuration attempt alert, nor why its absence
would disable same. Nor can I figure out why its absence would disable the
attack response rule, and its presence would disable that rule.

Anyone have any thoughts as to why this sort of thing might happen?

Thanks,

-Joe Patterson, CCNP, CISSP
Senior Security Engineer
SteelCloud, Inc.
(954)318-3200x105
jpatterson () asgardgroup com





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users