Snort mailing list archives
Re: Content rule matches on PCAP but does not match when snort listens
From: George Yunaev <gyunaev () ulduzsoft com>
Date: Wed, 13 Jan 2010 12:17:54 -0800
Hi Matt, Thank you for suggestion. I just tried it, but unfortunately adding -k none and removing flow_depth 0 (but keeping server_flow_depth 0) did not change the described behavior in any way. As before, wget kchmviewer.net/snort/testfile.ok detects the file when it goes through the gateway, and wget kchmviewer.net/snort/testfile.bad does not.
Shot in the dark: Try running your snort live with -k none. This shuts off the checking for checksum errors and clears up a lot of magic. Also remove flow_depth from your config, it is the same as server_flow_depth. flow_depth is being deprecated. Give these a shot and let us know how it goes. Matt On Wed, Jan 13, 2010 at 4:14 AM, George Yunaev <gyunaev () ulduzsoft com>wrote:Hi all, I'm exploring Snort content filtering capabilities for HTML exploit detection. I know it is not a full-blown solution (and I found and read this post: http://seclists.org/snort/2006/q1/18), but so far I cannot even understand why my simple example does not work. I am using Snort version 2.8.5.2 (Build 121) which I compiled myself from sources on openSuse 11.2. Non-inline mode. I have created the following Snort configuration which includes a rule: dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies overlap_limit 10 preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp no preprocessor stream5_tcp: policy linux, ports both all, \ max_queued_bytes 0, max_queued_segs 0 preprocessor http_inspect: global iis_unicode_map ./unicode.map 1252 preprocessor http_inspect_server: server default profile all \ ports { 80 8080 8180 } oversize_dir_length 500 server_flow_depth 0 \ client_flow_depth 0 flow_depth 0 alert tcp any any -> any any (msg: "exploit"; flow:established; content: "CreateStore"; sid: 1000000; ) To test this rule, I started Snort using the following command line: snort -A console -d -i eth1 -c snort.conf -l logs/ It starts fine, and when I try to download the test file "testfile.ok" via HTTP from Apache using wget, Snort correctly detects the text string, and generates an alert. Now the problems: 1. If I copy the file into "testfile.bad" add a few lines to it (keeping the original content intact), and try to download this file same way as above, Snort does not detect the text string. 2. If I shut down Snort, record the file packets via "tcpdump -ni eth1 -s0 -w test.pcap", download testfile.bad, shut down tcpdump and then replay the recorded packets via snort -A console -d -c snort.conf -l logs/ -r /tmp/filename.pcap, it detects the string just fine! This behavior looks like magic to me, however since Snort matches the same content with recorded PCAP, I believe the problem lies in PCAP configuration, and not in content or Snort detection. Could someone please point me out to some options in the documentation I might miss? I uploaded both text files as well as PCAP capture to http://kchmviewer.net/snort/ - please let me know if any futher information is needed. -- With best regards, George. http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE. ------------------------------------------------------------------------- ----- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- With best regards, George. http://www.kchmviewer.net - the first CHM files viewer for Qt/KDE. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content rule matches on PCAP but does not match when snort listens George Yunaev (Jan 13)
- Re: Content rule matches on PCAP but does not match when snort listens Matt Olney (Jan 13)
- Re: Content rule matches on PCAP but does not match when snort listens George Yunaev (Jan 13)
- Re: Content rule matches on PCAP but does not match when snort listens George Yunaev (Jan 13)
- Re: Content rule matches on PCAP but does not match when snort listens George Yunaev (Jan 13)
- Re: Content rule matches on PCAP but does not match when snort listens Matt Olney (Jan 13)