Re: Content rule matches on PCAP but does not match when snort listens

[Matt Olney <molney () sourcefire com>]

Shot in the dark:  Try running your snort live with -k none.  This shuts off
the checking for checksum errors and clears up a lot of magic.  Also remove
flow_depth from your config, it is the same as server_flow_depth.
 flow_depth is being deprecated.

Give these a shot and let us know how it goes.

Matt

On Wed, Jan 13, 2010 at 4:14 AM, George Yunaev <gyunaev () ulduzsoft com>wrote:

> Hi all,
>
> I'm exploring Snort content filtering capabilities for HTML exploit
> detection.
> I know it is not a full-blown solution (and I found and read this post:
> http://seclists.org/snort/2006/q1/18), but so far I cannot even understand
> why
> my simple example does not work.
>
> I am using Snort version 2.8.5.2 (Build 121) which I compiled myself from
> sources on openSuse 11.2. Non-inline mode.
>
> I have created the following Snort configuration which includes a rule:
>
> dynamicpreprocessor directory
> /usr/local/snort/lib/snort_dynamicpreprocessor/
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy first detect_anomalies overlap_limit 10
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
>                              track_udp no
> preprocessor stream5_tcp: policy linux, ports both all, \
>                      max_queued_bytes 0, max_queued_segs 0
>
> preprocessor http_inspect: global iis_unicode_map ./unicode.map 1252
> preprocessor http_inspect_server: server default profile all \
>      ports { 80 8080 8180 } oversize_dir_length 500 server_flow_depth 0 \
>     client_flow_depth 0 flow_depth 0
>
> alert tcp any any -> any any (msg: "exploit"; flow:established; content:
> "CreateStore"; sid: 1000000; )
>
> To test this rule, I started Snort using the following command line:
>
> snort -A console -d -i eth1 -c snort.conf -l logs/
>
> It starts fine, and when I try to download the test file "testfile.ok" via
> HTTP from Apache using wget, Snort correctly detects the text string, and
> generates an alert.
>
> Now the problems:
>
> 1. If I copy the file into "testfile.bad" add a few lines to it (keeping
> the
> original content intact), and try to download this file same way as above,
> Snort does not detect the text string.
>
> 2. If I shut down Snort, record the file packets via "tcpdump -ni eth1 -s0
> -w
> test.pcap", download testfile.bad, shut down tcpdump and then replay the
> recorded packets via snort -A console -d -c snort.conf -l logs/ -r
> /tmp/filename.pcap, it detects the string just fine!
>
> This behavior looks like magic to me, however since Snort matches the same
> content with recorded PCAP, I believe the problem lies in PCAP
> configuration,
> and not in content or Snort detection. Could someone please point me out to
> some options in the documentation I might miss?
>
> I uploaded both text files as well as PCAP capture to
> http://kchmviewer.net/snort/ - please let me know if any futher
> information is
> needed.
>
> --
> With best regards, George.
> http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE.
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users