Re: rules are not matched across the packet

[Bhagya Bantwal <bbantwal () sourcefire com>]

What is your stream5 config?

Have you turned on reassembly on HTTP ports? Do you have the HTTP ports in
stream5 ports?

This should be fixed by adding ports 80, 8080 to ports client config of
stream5

-B

On Sat, Jun 4, 2011 at 5:19 AM, mahendra kumawat <mahendra.u27 () gmail com>wrote:

> Hi ,
>
> I came across an issue today where snort doesn't appear to match content
> across packets and since the feature is very basic to the IDS, I wanted to
> raise a red flag and seek your help.
>
> The issue is as follows:
>
> 1.  Vulnerability
> http://www.securityfocus.com/bid/47826
>
> 2. Exploit
> http://downloads.securityfocus.com/vulnerabilities/exploits/47826.txt
>
>
> There is two exploit ,let`s take only first in this case.  It's a form
> based
> cross site scripting attempt using HTTP POST. I wrote signature for this:
>
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: " Argyle
> Social
> Cross Site Scripting attempt"; flow:established, to_server;
> content:"stream_filter_rule"; http_client_body; reference:bugtraq,47826;
> classtype:web-application-attack; sid:50000027; rev:1;)
>
> I attached a pcap for testing "47826f.pcap". Please look at packet no. 4
> and 5
> across which the exploit content is split. when i was running snort on this
>
> pcap ,no alert was genrated.
>
>
> But when i removed "http_client_body" keyword in rule then i got a alert.
> So i
> think when i  use "http_client_body" there is some problem with across
> packet
> matching.
>
> I also tried after change "content:"script"; , but when i
> used "http_client_body" keyword after content ,i did not get any alert.
> When
> i removed "http_client_body" ,then i got alert. It is showing also same
> problem.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg: "NIKSUN-WEB-CLIENT Cross Site Scripting attempt"; flow:established,
> to_server; content:"script"; http_client_body; r
> eference:bugtraq,47826; classtype:web-application-attack; sid:50000027;
> rev:1;)
>
>
> I have below configuration in snort.conf for http_inspect.
>
> # http_inspect: normalize and detect HTTP traffic and protocol anomalies
>
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
>
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0
>
> post_depth 65495
>
> Snort version:
>
>
>  -*> Snort! <*-
>   o"  )~   Version 2.8.6.1 (Build 39)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using PCRE version: 7.4 2007-09-21
>
>
> So please advise me what is wrong with my snort ? why this is happening?
> how can i resolve this problem ?
>
> Please communicate with me on same id (mahendrau.27 () gmail com )
>
>
>
> Thanks
> Mahendra
>
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users