rules are not matched across the packet

[mahendra kumawat <mahendra.u27 () gmail com>]

Hi ,

I came across an issue today where snort doesn't appear to match content
across packets and since the feature is very basic to the IDS, I wanted to
raise a red flag and seek your help.

The issue is as follows:

1.  Vulnerability
http://www.securityfocus.com/bid/47826

2. Exploit
http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt


There is two exploit ,let`s take only first in this case.  It's a form based

cross site scripting attempt using HTTP POST. I wrote signature for this:


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle
Social
Cross Site Scripting attempt"; flow:established, to_server;
content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826;
classtype:web-application-attack; sid:50000027; rev:1;)

I attached a pcap for testing "47826f.pcap". Please look at packet no. 4 and
5
across which the exploit content is split. when i was running snort on this
pcap ,no alert was genrated.


But when i removed "http_client_body" keyword in rule then i got a alert. So
i
think when i  use "http_client_body" there is some problem with across
packet
matching.

I also tried after change "content:"script"; , but when i
used "http_client_body" keyword after content ,i did not get any alert. When

i removed "http_client_body" ,then i got alert. It is showing also same
problem.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established,
to_server; content:"script"; http_client_body; r
eference:bugtraq,47826; classtype:web-application-attack; sid:50000027;
rev:1;)


I have below configuration in snort.conf for http_inspect.

# http_inspect: normalize and detect HTTP traffic and protocol anomalies

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0
post_depth 65495

Snort version:


 -*> Snort! <*-
  o"  )~   Version 2.8.6.1 (Build 39)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.4 2007-09-21


So please advise me what is wrong with my snort ? why this is happening?
how can i resolve this problem ?

Please communicate with me on same id (mahendrau.27 () gmail com )



Thanks
Mahendra

Attachment: 47826f.pcap
Description:

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users