Snort mailing list archives
Snort doesn't trigger while the payload size is big (even for ~4-5KB files)
From: Sujit Ghosal <thesujit () gmail com>
Date: Sun, 5 Dec 2010 12:23:08 +0530
Hi All,
I had a similar type of issue some days back to detect any server
side/client side vulnerabilities as Snort was not detecting even for a
single GET or <html> pattern in any requests/responses respectively. Anyways
the problem is somehow solved. It just suddenly started working (may be I
think my firewall was blocking initially, I am not fully sure though).
Now I came through a very bizzare problem. While I am writing a client
side signature (lets say some PDF vulnerability signatures). If the PDF has
less number of bytes (within 500-600 bytes and the whole PDF is of 600
bytes) and attack pattern comes within those 600 bytes then snort detects
that time with my developed rule. But If I generate a malformed PDF File
through MSF then the malformed objects are being moved to > 600 and the
pattern is present at last of the PDF file (around at 20000th offset). In
such cases snort is not detecting the attack. I checked the signature and
everything is perfect as I haven't given any such offset limitations inside
that rule.
I gave a look in snort.conf to see the http_preprocessor configs and the
checked till how far snort processes the data length and it is set to 0. So
I think it should work in any case.
Can anyone please guide me on what could be the issue and how I can resolve
this?
Best Regards,
Sujit
------------------------------------------------------------------------------ What happens now with your Lotus Notes apps - do you make another costly upgrade, or settle for being marooned without product support? Time to move off Lotus Notes and onto the cloud with Force.com, apps are easier to build, use, and manage than apps on traditional platforms. Sign up for the Lotus Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 04)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 05)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 14)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Sujit Ghosal (Dec 13)
- Re: Snort doesn't trigger while the payload size is big (even for ~4-5KB files) Joel Esler (Dec 05)