Snort mailing list archives
Re: http rule is not always triggering
From: "Sven Wurth" <swurth () astaro com>
Date: Wed, 17 Feb 2010 23:53:56 -0800
Hi JCC, @first thanks for your reply More details are no problem, due my variables (all are set to ANY) you can read the rule like this: drop any any -> any 80 (msg:"foobar"; flow:established,to_server; uricontent:"insert"; nocase; pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:666666;) and 99% of my request to google gets dropped, this is working. The problem is that not 100% gets dropped. My Environment looks like this: $XP=Windows XP machine with IE6 which request the google search 'insert into' $SNORTINLINES=Snort 2.8.5.2, inline mode, 2 interfaces, masquerade, all traffic goes to the iptables queue target $SNORT2=Snort 2.8.5.2, pcap mode, 2 interfaces, masquerade $XP -> $SNORTINLINE -> $SNORT2 -> Internet I tcpdump all the traffic on $SNORT2 sensor. Now I do some google searches for "insert into" on $XP, at the moment that google shows me the results the attack came through! And not only on $SNORTINLINE, this attack also passes the $SNORT2 sensor. How can I say that? Because I dumped all the traffic on $SNORT2 and if I start on $SNORTINLINE or $SNORT2 snort with '--pcap-single -A cmg' I see the alerts for the missed attack's! Best Sven From: jcummings () sourcefire com [mailto:jcummings () sourcefire com] On Behalf Of JJ Cummings Sent: Tuesday, February 16, 2010 5:28 PM To: Sven Wurth Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] http rule is not always triggering If you look at this rule and read it "specifically it's directionality" you will note that it is intended to detect / prevent the string in question against your servers (HTTP_SERVERS) so unless you have all of the google.com servers defined as your var HTTP_SERVERS you will see the behavior that you are noting. Note also the use of HTTP_PORTS, as such (assuming you have defined your EXTERNAL_NET and HOME_NET or HTTP_SERVERS) you would have to make a request out from the client on one of the defined HTTP_PORTS, this way snort would catch the reply from google on the monitored ports list.... make sense? Beyond that, there are a number of reasons that you may be missing event generating packets.. from dropped packets to asymmetric routing and beyond.. The short of it is that more info would be useful, but it appears that what you are trying to simulate to generate this event will not reliably do so. JJC On Tue, Feb 16, 2010 at 2:56 AM, Sven Wurth <swurth () astaro com> wrote: Hi Snort-Sigs, I saw a strange problem with a http rule, which is not triggering always. If I take a rule like this: drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar"; flow:established,to_server; uricontent:"insert"; nocase; pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:666666;) go to google.com and search for "insert into", an alert will logged and the packet gets dropped. The search takes a really long time and normally I get an timeout, but sometimes retransmitted packets came through snort and google shows up the search results. That's a failure, these packets should never pass snort. I done a tcpdump on the outer snort interface, if I let snort read these pcaps the attack will be recognized. But why not in always in the inline mode? (snort 2.8.5.2 in inline mode) Please help me, I have no idea how to debug this... Best Sven ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- SO rules vs regular rules Mike Cox (Jan 14)
- Re: SO rules vs regular rules Mike Cox (Feb 01)
- Re: SO rules vs regular rules Joel Esler (Feb 01)
- Re: SO rules vs regular rules Brian Caswell (Feb 01)
- Re: SO rules vs regular rules Patrick Mullen (Feb 03)
- Re: SO rules vs regular rules Mike Cox (Feb 03)
- http rule is not always triggering Sven Wurth (Feb 16)
- Re: http rule is not always triggering JJ Cummings (Feb 16)
- Re: http rule is not always triggering Sven Wurth (Feb 17)
- Re: SO rules vs regular rules Patrick Mullen (Feb 03)
- Re: SO rules vs regular rules Mike Cox (Feb 01)