Snort mailing list archives
Re: Bug report - no content match on http_inspect port
From: elof () sentor se
Date: Fri, 4 Mar 2011 17:47:01 +0100 (CET)
Joel, Why do you keep stating the obvious and ignore the issue? Yes, 3128 is a proxy port. Yes traffic that I have configured to be inspected by http_inspect is treated as HTTP. My bug report is that the normalisation of the packet might destroy it, or something else fails. Because apparently a pattern match don't work. Are you saying I can't simply look for the pattern "foo: bar" in any packet or stream if the port/stream is handled by http_inspect? /Elof On Fri, 4 Mar 2011, Joel Esler wrote:
Traffic that is going to one of the ports that is in the http_inspect preprocessor's configuration is treated as HTTP, yes. Joel On Mar 4, 2011, at 10:25 AM, elof () sentor se wrote:Yes. But that doesn't really answer any question or fix the problem, does it? Are you saying that snort can no longer do simple pattern matching on all traffic that is handled by http_inspect? If I wanted to, I should be able to alert on the pattern "login: root" with a rule WITHOUT any given ports ('alert tcp any any -> any any (...)'), and snort should be acting sort of like 'ngrep'. But for traffic on ports 80 3128 and 8080 snort wouldn't generate any event. This is a bug to me. /Elof On Fri, 4 Mar 2011, Joel Esler wrote:You should only put ports in the http_inspect config that you are running http services on, on your network. 3128 is a common proxy port, so it's included by default. Joel On Mar 4, 2011, at 9:57 AM, elof () sentor se wrote:Snort doesn't trigger alerts on traffic if that port is included in the http_inspect ports. Example: A basic rule: alert tcp any 3128 -> any any (msg:"foo"; flow:from_server,established; content:"login|3A| root"; sid:1234; rev:1;) If the snort.conf contain this http_inspect configuration, sid:1234 will never trigger even if a packet is seen containing "login: root" from port 3128. Bug! preprocessor http_inspect_server: server default profile all ports { 80 3128 8080 } oversize_dir_length 500 no_alerts If I remove port 3128 from the configuration and try again, I get an alert. preprocessor http_inspect_server: server default profile all ports { 80 8080 } oversize_dir_length 500 no_alerts I tested it using this simple setup: Server: echo "login: root" | nc -l 3128 Client: nc serverip 3128 When the client connect, I get a logged event using the second config. When the client connect, I don't get any event using the first config. This is reproduceable. Could it be that http_inspect tries to normalise the string "login: root" and by doing so breaks it, so that there are no matches? /Elof ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net
------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Ryan Jordan (Mar 04)
- Re: Bug report - no content match on http_inspect port elof (Mar 07)
- Re: Bug report - no content match on http_inspect port elof (Mar 04)
- Re: Bug report - no content match on http_inspect port Joel Esler (Mar 04)