Snort mailing list archives

Previous By Date Next
Previous By Thread Next

No content match in modern snorts

From: nard <nard () nardware co uk>
Date: Tue, 20 Sep 2005 13:10:57 +0100
Afternoon all.

I have noticed that some rules on my snort system are not triggering when they should. 

Simple test rig:

|client|---|snort|---|webserver|
            
The webserver has a two line text file on it containing 

foo
bar

I have three _simple_ rules on the snort system:

alert tcp any any <> any any (msg: "Debian"; content: "Debian";)
alert tcp any any <> any any (msg: "bar"; content: "bar";)
alert tcp any any <> any any (msg: "foo"; content: "foo";)

I am using wget to download a text file from the webserver to the client. When using *certain* versions of snort, the 
foo and bar rules never trigger. The Debian rule however always does (the webserver is a Debian box and the string is 
therefore in the HTTP banner). I have enabled one rule at a time, and also tried all three at the same time.

I have repeated this test with many versions of snort, and have mixed results.

Snort 1.8 (installed via apt-get on a Debian woody box) 
Debian Rule : alert is raised
foo rule: alert is raised
bar rule: alert is raised

Snort 2.0.6 (built from source on a Debian woody box)
Debian Rule : alert is raised
foo rule: alert is raised
bar rule: alert is raised

Snort 2.1.2 (Built from source on a Debian woody box)
Debian Rule: alert is raised
foo rule: *No alert*
bar rule: *No alert*

Snort 2.4 (Built from source on a Debian sarge box)
Debian Rule: alert is raised
foo rule: *No alert*
bar rule: *No alert*

Snort 2.3 (installed via apt-get on a Debian sarge box)
Debian Rule: alert is raised
foo rule: *No alert*
bar rule: *No alert*

The snort.conf on all tests is with a near vanilla config file, (the only thing changed from stock is to enable alerts 
to syslog). 
Using tethereal on the snort sensor I can see the below packet crossing the wire each time.

Ethernet II, Src: 00:0b:6a:3a:45:5a, Dst: 52:54:00:12:77:26
Internet Protocol, Src Addr: 192.168.0.59 (192.168.0.59), Dst Addr: 192.168.0.157 (192.168.0.157)
Transmission Control Protocol, Src Port: www (80), Dst Port: 1059 (1059), Seq: 1, Ack: 98, Len: 337
Hypertext Transfer Protocol
Line-based text data: text/plain

0000  52 54 00 12 77 26 00 0b 6a 3a 45 5a 08 00 45 00   RT..w&..j:EZ..E.
0010  01 85 29 53 40 00 40 06 8d f7 c0 a8 00 3b c0 a8   ..)S@.@......;..
0020  00 9d 00 50 04 23 0f 7c 21 e7 51 47 a0 ef 80 18   ...P.#.|!.QG....
0030  16 a0 bb 6e 00 00 01 01 08 0a 14 a0 08 ed 00 07   ...n............
0040  b8 03 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f   ..HTTP/1.1 200 O
0050  4b 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 31 39   K..Date: Mon, 19
0060  20 53 65 70 20 32 30 30 35 20 31 36 3a 31 38 3a    Sep 2005 16:18:
0070  31 33 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20   13 GMT..Server: 
0080  41 70 61 63 68 65 2f 31 2e 33 2e 33 33 20 28 44   Apache/1.3.33 (D
0090  65 62 69 61 6e 20 47 4e 55 2f 4c 69 6e 75 78 29   ebian GNU/Linux)
00a0  20 6d 6f 64 5f 70 65 72 6c 2f 31 2e 32 39 0d 0a    mod_perl/1.29..
00b0  4c 61 73 74 2d 4d 6f 64 69 66 69 65 64 3a 20 4d   Last-Modified: M
00c0  6f 6e 2c 20 31 39 20 53 65 70 20 32 30 30 35 20   on, 19 Sep 2005 
00d0  31 35 3a 31 37 3a 32 38 20 47 4d 54 0d 0a 45 54   15:17:28 GMT..ET
00e0  61 67 3a 20 22 31 30 38 33 63 37 2d 38 2d 34 33   ag: "1083c7-8-43
00f0  32 65 64 36 38 38 22 0d 0a 41 63 63 65 70 74 2d   2ed688"..Accept-
0100  52 61 6e 67 65 73 3a 20 62 79 74 65 73 0d 0a 43   Ranges: bytes..C
0110  6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 38   ontent-Length: 8
0120  0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69   ..Keep-Alive: ti
0130  6d 65 6f 75 74 3d 31 35 2c 20 6d 61 78 3d 31 30   meout=15, max=10
0140  30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b   0..Connection: K
0150  65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65   eep-Alive..Conte
0160  6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c   nt-Type: text/pl
0170  61 69 6e 3b 20 63 68 61 72 73 65 74 3d 69 73 6f   ain; charset=iso
0180  2d 38 38 35 39 2d 31 0d 0a 0d 0a 66 6f 6f 0a 62   -8859-1....foo.b
0190  61 72 0a                                          ar.

Does anyone have an idea what is going or rather what I am doing wrong here!?!




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: