Snort mailing list archives
rules are not matched across the packet
From: mahendra kumawat <mahendra.u27 () gmail com>
Date: Sat, 4 Jun 2011 14:49:22 +0530
Hi , I came across an issue today where snort doesn't appear to match content across packets and since the feature is very basic to the IDS, I wanted to raise a red flag and seek your help. The issue is as follows: 1. Vulnerability http://www.securityfocus.com/bid/47826 2. Exploit http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt There is two exploit ,let`s take only first in this case. It's a form based cross site scripting attempt using HTTP POST. I wrote signature for this: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle Social Cross Site Scripting attempt"; flow:established, to_server; content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826; classtype:web-application-attack; sid:50000027; rev:1;) I attached a pcap for testing "47826f.pcap". Please look at packet no. 4 and 5 across which the exploit content is split. when i was running snort on this pcap ,no alert was genrated. But when i removed "http_client_body" keyword in rule then i got a alert. So i think when i use "http_client_body" there is some problem with across packet matching. I also tried after change "content:"script"; , but when i used "http_client_body" keyword after content ,i did not get any alert. When i removed "http_client_body" ,then i got alert. It is showing also same problem. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established, to_server; content:"script"; http_client_body; r eference:bugtraq,47826; classtype:web-application-attack; sid:50000027; rev:1;) I have below configuration in snort.conf for http_inspect. # http_inspect: normalize and detect HTTP traffic and protocol anomalies preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0 post_depth 65495 Snort version: -*> Snort! <*- o" )~ Version 2.8.6.1 (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.4 2007-09-21 So please advise me what is wrong with my snort ? why this is happening? how can i resolve this problem ? Please communicate with me on same id (mahendrau.27 () gmail com ) Thanks Mahendra
Attachment:
47826f.pcap
Description:
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules are not matched across the packet mahendra kumawat (Jun 07)
- rules are not matched across the packet mahendra kumawat (Jun 07)
- Re: rules are not matched across the packet Bhagya Bantwal (Jun 07)
- Re: rules are not matched across the packet rmkml (Jun 07)
- rules are not matched across the packet mahendra kumawat (Jun 07)