Snort mailing list archives
Re: Content checking in Snort-2.8.3.2
From: Todd Wease <twease () sourcefire com>
Date: Tue, 27 Jan 2009 09:22:41 -0500
Hi bahamin, With the config you provided, I am able to get the following rules to alert: alert tcp any any -> any any (sid:10001003; msg:"http-th"; content:"th"; nocase;) alert tcp any any -> any any (sid:10001006; msg:"http-bin2"; content:"|20 61|"; nocase;) With Joel's suggestion of adding "flow_depth 0" to the "http_inspect_server" configuration, in addition, I get these rules to alert: alert tcp any any -> any any (sid:10001002; msg:"http-established"; flow:from_server, established; content:"web";) alert tcp any any -> any any (sid:10001004; msg:"http-the"; content:"the"; nocase;) alert tcp any any -> any any (sid:10001005; msg:"http-bin"; content: "|20 61 6e 64 20 64 69 72|"; nocase;) Please read README.http_inspect for an explanation of the "flow_depth" option. The following rule doesn't alert because there is no ICMP traffic in the pcap: alert icmp any any -> any any (sid:10001007; msg:"icmp-cont-test"; content:"abcdefgh";) Now for the more complicated case: alert tcp any any -> any any (sid:10001001; msg:"http-only-stream"; content:"directed to the website";) First of all, Snort, by default, does not do reassembly of server traffic. See README.stream5 for reassembly options. At any rate, even with doing server side reassembly, this alert will not fire. Note that stream5 is a post-ack model which means it doesn't do reassembly until it gets an ACK from the other side of the conversation and only reassembles data that has been ACKed, i.e. data it is sure the other side has received and accepted. This content is split up between packets 74 and 75. After receiving packet 75, Snort will have queued packets 73, 74 and 75 for reassembly. Packet 76 is an ACK from the client which tells stream5 to reassemble whatever it has queued for the server. The problem is that the client only ACKs up through packet 74, so stream5 only reassembles packets 73 and 74. The client then ACKs packet 75, so stream5 sends that through. Todd bahamin takhtaei wrote:
Hi, I attach a dumpFile.pcap to this email. I attach snort.conf and local.rules, too. Thank you, Bahamin --- On *Tue, 1/27/09, Leon Ward /<seclists () rm-rf co uk>/* wrote: From: Leon Ward <seclists () rm-rf co uk> Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2 To: b_takhtaei () yahoo com Date: Tuesday, January 27, 2009, 3:35 AM Run the test again, but at the same time have tcpdump sniffing the interface. A simple ... tcpdump -ni <DEVICE> -s0 -w /tmp/filename.pcap ... Will do the trick. Mail the pcap over, it will be easier to read that than make random guesses about what could be happening. -Leon On 27 Jan 2009, at 07:19, bahamin takhtaei wrote:Hi Leon, Thanks for your attention. I run Snort in Inline mode and using IP_QUEUE. I add these rules to iptables: iptables -A INPUT -p tcp --dport 80 -j QUEUE iptables -A OUTPUT -p tcp --sport 80 -j QUEUE and It seems that the traffic arrives to Snort correctly. (Notice: I add an ICMP rule to local.rules: alert icmp any any -> any any (sid:100010010; msg:"icmp-cont-test"; content:"abcdefgh";) and check it by sending ping request to Snort-machine: It's triggerd, so I think my Snort has a problem by tcp traffic?!) --- On *Mon, 1/26/09, Leon Ward /<seclists () rm-rf co uk <mailto:seclists () rm-rf co uk>>/* wrote: From: Leon Ward <seclists () rm-rf co uk <mailto:seclists () rm-rf co uk>> Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2 To: b_takhtaei () yahoo com <mailto:b_takhtaei () yahoo com> Cc: "snort" <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Date: Monday, January 26, 2009, 4:25 AM Hello On 25 Jan 2009, at 14:25, bahamin takhtaei wrote:Hi, I install Snort-2.8.3.2 and check some content-rules, but Snort can't match any content with "content-length > 2" !Snort can match more than that, So lets change the question slightly. What are you trying to match? Got a pcap? -Leonfor example: I add these rules to local.rules: 1. alert tcp any any -> any any (sid:10001001; msg:"http-th"; content:"th"; nocase;) 2. alert tcp any any -> any any (sid:10001002; msg:"http-the"; content:"the"; nocase;) 3. alert tcp any any -> any any (sid:10001003; msg:"http-hex"; content: "|20 61 6e 64 20 64 69 72|"; nocase;) 4. alert tcp any any -> any any (sid:10001004; msg:"http-hex2"; content:"|20 61|"; nocase;) ----------------------------------------------------------------------- then send a http-traffic to Snort-machine that contains many "the" pattern, but only rule1 and rule4 are triggerd. Why please? Notice: my snort.conf is a sample config file that there is on snort.org. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 25)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Joel Esler (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Matt Watchinski (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- <Possible follow-ups>
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)