Snort mailing list archives
problem with http_inspect_server interactions with rules
From: "Joe Patterson" <jpatterson () asgardgroup com>
Date: Tue, 23 Nov 2004 16:56:29 -0500
I've seen something that I *think* is an error, and is certainly undesired behavior, with an interaction between http_inspect_server parameters and some rules (I haven't tested many rules, I want to get this one working so that I know what the core problem is). I've tested this on snort 2.2.0 build 30 and 2.3.0RC1 Build 8, I'm using a linux 2.6.5 kernel running gentoo. I've got a pcap file (http://www.asgardgroup.com/~jpatterson/snort/mydata.pcap) with two http GET requests in it, and the responses to them (note that this is a completely contrived example. I contrived it for the purpose of triggering two rules for some unrelated event correllation work, and was surprised when snort didn't give me the output I was expecting). I've also got a snort config file (http://www.asgardgroup.com/~jpatterson/snort/mysnort.conf) containing exactly two alert rules, and the variables and preprocessors necessary to their correct operation. The specific rules (from the current rulebase) are: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:from_server,established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:8;) If I run the following command: snort -c ./mysnort.conf -l . -r ./mydata.pcap -A full -k none I get an alert output that contains only the two "WEB-MISC Cisco IOS HTTP configuration attempt" entries. Now, if I comment out the configuration line: preprocessor http_inspect_server: server default profile all ports { 80 8080 8180 } oversize_dir_length 500 then I get a very different looking alert file that contains only the "ATTACK-RESPONSES directory listing" alert. I can't figure out for the life of me why that configuration option would either enable the HTTP configuration attempt alert, nor why its absence would disable same. Nor can I figure out why its absence would disable the attack response rule, and its presence would disable that rule. Anyone have any thoughts as to why this sort of thing might happen? Thanks, -Joe Patterson, CCNP, CISSP Senior Security Engineer SteelCloud, Inc. (954)318-3200x105 jpatterson () asgardgroup com ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problem with http_inspect_server interactions with rules Joe Patterson (Nov 23)