Snort mailing list archives

Re: http rule is not always triggering

From: "Sven Wurth" <swurth () astaro com>
Date: Wed, 17 Feb 2010 23:53:56 -0800

Hi JCC,

@first thanks for your reply

More details are no problem,
due my variables (all are set to ANY) you can read the rule like this:

drop any any -> any 80 (msg:"foobar";
flow:established,to_server; uricontent:"insert"; nocase;
pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
http; classtype:web-application-attack; sid:666666;)

and  99% of my request to google gets dropped, this is working.
The problem is that not 100% gets dropped.

My Environment looks like this: 
$XP=Windows XP machine with IE6 which request the google search 'insert into' 
$SNORTINLINES=Snort 2.8.5.2, inline mode, 2 interfaces, masquerade, all traffic goes to the iptables queue target
$SNORT2=Snort 2.8.5.2, pcap mode, 2 interfaces, masquerade

$XP -> $SNORTINLINE -> $SNORT2 -> Internet

I tcpdump all the traffic on $SNORT2 sensor.

Now I do some google searches for "insert into" on $XP,
at the moment that google shows me the results the attack came through!
And not only on $SNORTINLINE, this attack also passes the $SNORT2 sensor.

How can I say that?
Because I dumped all the traffic on $SNORT2 and if I start on $SNORTINLINE or $SNORT2 snort with '--pcap-single -A cmg'
I see the alerts for the missed attack's!

Best Sven





From: jcummings () sourcefire com [mailto:jcummings () sourcefire com] On Behalf Of JJ Cummings
Sent: Tuesday, February 16, 2010 5:28 PM
To: Sven Wurth
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] http rule is not always triggering

If you look at this rule and read it "specifically it's directionality" you will note that it is intended to detect / 
prevent the string in question against your servers (HTTP_SERVERS) so unless you have all of the google.com servers 
defined as your var HTTP_SERVERS you will see the behavior that you are noting.  Note also the use of HTTP_PORTS, as 
such (assuming you have defined your EXTERNAL_NET and HOME_NET or HTTP_SERVERS) you would have to make a request out 
from the client on one of the defined HTTP_PORTS, this way snort would catch the reply from google on the monitored 
ports list.... make sense?

Beyond that, there are a number of reasons that you may be missing event generating packets.. from dropped packets to 
asymmetric routing and beyond.. The short of it is that more info would be useful, but it appears that what you are 
trying to simulate to generate this event will not reliably do so.

JJC
On Tue, Feb 16, 2010 at 2:56 AM, Sven Wurth <swurth () astaro com> wrote:
Hi Snort-Sigs,

I saw a strange problem with a http rule, which is not triggering
always.
If I take a rule like this:

drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar";
flow:established,to_server; uricontent:"insert"; nocase;
pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
http; classtype:web-application-attack; sid:666666;)

go to google.com and search for "insert into", an alert will logged and
the packet gets dropped.
The search takes a really long time and normally I get an timeout, but
sometimes retransmitted packets came through snort and google shows up
the search results.
That's a failure, these packets should never pass snort.

I done a tcpdump on the outer snort interface, if I let snort read these
pcaps the attack will be recognized. But why not in always in the inline
mode?

(snort 2.8.5.2 in inline mode)

Please help me, I have no idea how to debug this...

Best
Sven







------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




------------------------------------------------------------------------------
Download Intel&reg; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs 
proactively, and fine-tune applications for parallel performance. 
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

SO rules vs regular rules Mike Cox (Jan 14)
- Re: SO rules vs regular rules Mike Cox (Feb 01)
  - Re: SO rules vs regular rules Joel Esler (Feb 01)
- Re: SO rules vs regular rules Brian Caswell (Feb 01)
  - Re: SO rules vs regular rules Patrick Mullen (Feb 03)
    - Re: SO rules vs regular rules Mike Cox (Feb 03)
  - http rule is not always triggering Sven Wurth (Feb 16)
    - Re: http rule is not always triggering JJ Cummings (Feb 16)
    - Re: http rule is not always triggering Sven Wurth (Feb 17)