Snort mailing list archives
Problem with http_inspect and Basic Authentication rule
From: andreas <andi () geekosphere org>
Date: Mon, 04 Jul 2011 12:31:53 +0200
Hi *, i use snort on a mirror port. I found an issue with http_inspect preprocessor and one rule for authentication. I start snort 2.9.0.5 using "--treat-drop-as-alert -u snort -g snort -A fast -N -I -i eth2 -P 0 -l /var/log/snort -c /etc/snort/snort.conf". I also tried several options with the "preprocessor http_inspect:". The rule i want to see in the log file is: "ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted" with sid:2006380, which is in "emerging-policy.rules". I use two lynx calls to test this issue (1.1.1.1 is just an example IP): 1. lynx --auth=foo:bar http://1.1.1.1/trac/login 2. lynx http://1.1.1.1/trac/browser and then navigate to login and try to authenticate When http_inspect is activated, the alert only occurs with the fist call. If i put "disabled" to the preprocessor http_inspect the alert occurs on both calls. So the rule is fine and the packages are also fine, so i can point it down to the http_inspect. One idea is, that with http_inspect activated only the first HTTP Requests are handled and the HTTP alert for the authentication is ignored. I tried to play with all the http_inspect options but no change except for the disabled option. So any idea what i can do/try to get snort working with http_inspect and still reporting the alert for the authentication when the loginpage isn't called directly? Andi++ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Problem with http_inspect and Basic Authentication rule andreas (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule Joel Esler (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule andreas (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule Russ Combs (Jul 05)