Snort mailing list archives
Re: "http_client_body" rule not working
From: Shaiming Hsiung <shaiming.hsiung () gmail com>
Date: Wed, 1 Aug 2012 13:43:57 -0300
Hi again,
Can you detail your IPS os_linux/snort please? daq ? iptables/netfilter ?
- Linux ubuntu 2.6.38-8-server #42-Ubuntu SMP (Ubuntu 11.04 / x86_64) - tested it with Snort versions 2.9.2 and 2.9.3 with the same results - lsmod shows up the ip_queue module # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination QUEUE tcp -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination QUEUE tcp -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination QUEUE tcp -- anywhere anywhere
what's your web request/cmd line ? post your python script please?
--- post.py --- #!/usr/bin/python import httplib h = httplib.HTTPConnection('target_host') h.connect() h.request('POST', '/hello', 'world') r = h.getresponse() print r.read() ---
Your Snort config ? cmd line ? Repost your exact snort rules please ?
--- test.snort.conf --- preprocessor stream5_global: track_tcp yes track_udp yes preprocessor stream5_tcp: policy bsd, timeout 86400, ports all preprocessor stream5_udp: timeout 86400 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default profile all ports { 80 } drop tcp any any -> any any (sid:1234567; msg:"test1"; content:"world"; http_client_body;) --- command line --- # snort -dv --daq ipq -Q -c test.snort.conf ---
Do you have disable cksum for testing please?
Sorry, I am not sure what do you mean exactly. Would that mean disabling IP checksums in Snort? At the OS level? ---
Can you run tcpdump like for full network capture please?
I paste below the tcpdump between localhost and the IPS. --- Restating the issue, when snort is running with the given configuration, I expect for it to block the given request, but instead I get the http response from target_host. localhost$ ./post.py <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /hello was not found on this server.</p> <hr> <address>Apache/2.2.17 (Ubuntu) Server at target_host Port 80</address> </body></html> The Snort log has no alerts after doing this. I have already stated this in a previous email, but Snort seems to be working fine otherwise. It *does* block the request if I use a rule not based on http_client_body. For instance, it has worked correctly with a slight variation of the rule: drop tcp any any -> any any (sid:1234567; msg:"test1"; content:"hello"; http_uri;) Below I paste the Snort output, and the tcpdump output. localhost = 192.168.196.1 ips = 192.168.196.133 / 192.168.3.2 target_host = 192.168.3.4 Thanks once again for your help. --- --- Snort output Enabling inline operation Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "test.snort.conf" Tagged Packet Limit: 256 Log directory = /var/log/snort Stream5 global config: Track TCP sessions: ACTIVE Max TCP sessions: 262144 Memcap (for reassembly packet storage): 8388608 Track UDP sessions: ACTIVE Max UDP sessions: 131072 Track ICMP sessions: INACTIVE Track IP sessions: INACTIVE Log info if session memory consumption exceeds 1048576 Send up to 0 active responses Protocol Aware Flushing: ACTIVE Maximum Flush Point: 16384 Stream5 TCP Policy config: Bound Address: default Reassembly Policy: BSD Timeout: 86400 seconds Maximum number of bytes to queue per session: 1048576 Maximum number of segs to queue per session: 2621 Reassembly Ports: 21 client (Footprint) server (Footprint) 23 client (Footprint) server (Footprint) 25 client (Footprint) server (Footprint) 42 client (Footprint) server (Footprint) 53 client (Footprint) server (Footprint) 80 client (Footprint) server (Footprint) 110 client (Footprint) server (Footprint) 111 client (Footprint) server (Footprint) 135 client (Footprint) server (Footprint) 136 client (Footprint) server (Footprint) 137 client (Footprint) server (Footprint) 139 client (Footprint) server (Footprint) 143 client (Footprint) server (Footprint) 445 client (Footprint) server (Footprint) 513 client (Footprint) server (Footprint) 514 client (Footprint) server (Footprint) 1433 client (Footprint) server (Footprint) 1521 client (Footprint) server (Footprint) 2401 client (Footprint) server (Footprint) 3306 client (Footprint) server (Footprint) Stream5 UDP Policy config: Timeout: 86400 seconds HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: ./unicode.map IIS Unicode Map Codepage: 1252 Memcap used for logging URI and Hostname: 150994944 Max Gzip Memory: 838860 Max Gzip Sessions: 191 Gzip Compress Depth: 1460 Gzip Decompress Depth: 2920 DEFAULT SERVER CONFIG: Server profile: All Ports (PAF): 80 Server Flow Depth: 300 Client Flow Depth: 300 Max Chunk Length: 500000 Max Header Field Length: 0 Max Number Header Fields: 0 Max Number of WhiteSpaces allowed with header folding: 200 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 0 Only inspect URI: NO Normalize HTTP Headers: NO Inspect HTTP Cookies: NO Inspect HTTP Responses: NO Extract Gzip from responses: NO Unlimited decompression of gzip data from responses: NO Normalize Javascripts in HTTP Responses: NO Normalize HTTP Cookies: NO Enable XFF and True Client IP: NO Log HTTP URI data: NO Log HTTP Hostname data: NO Extended ASCII code support in URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 1 0 0 0 | nc 0 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- | none ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- +-----------------------[event-filter-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! ICMP tracking disabled, no ICMP sessions allocated IP tracking disabled, no IP sessions allocated [ Port Based Pattern Matching Memory ] +-[AC-BNFA Search Info Summary]------------------------------ | Instances : 3 | Patterns : 5 | Pattern Chars : 43 | Num States : 43 | Num Match States : 5 | Memory : 5.39Kbytes | Patterns : 0.23K | Match Lists : 0.49K | Transitions : 3.47K +------------------------------------------------- ipq DAQ configured to inline. The DAQ version does not support reload. Reload thread starting... Reload thread started, thread 0x7f2bee320700 (2737) --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.2 IPv6 GRE (Build 78) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.12 2011-01-15 Using ZLIB version: 1.2.3.4 Commencing packet processing (pid=2737) Decoding Raw IP4 08/01-16:26:09.025522 192.168.196.1:52386 -> 192.168.3.4:80 TCP TTL:62 TOS:0x0 ID:42598 IpLen:20 DgmLen:60 DF ******S* Seq: 0x43EF8D8C Ack: 0x0 Win: 0x3908 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 2436074 0 NOP WS: 6 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.027629 192.168.3.4:80 -> 192.168.196.1:52386 TCP TTL:63 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0xB652FD58 Ack: 0x43EF8D8D Win: 0x3890 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 68542 2436074 NOP WS: 5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.028034 192.168.196.1:52386 -> 192.168.3.4:80 TCP TTL:62 TOS:0x0 ID:42599 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x43EF8D8D Ack: 0xB652FD59 Win: 0xE5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2436074 68542 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.028270 192.168.196.1:52386 -> 192.168.3.4:80 TCP TTL:62 TOS:0x0 ID:42600 IpLen:20 DgmLen:146 DF ***AP*** Seq: 0x43EF8D8D Ack: 0xB652FD59 Win: 0xE5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2436074 68542 50 4F 53 54 20 2F 68 65 6C 6C 6F 20 48 54 54 50 POST /hello HTTP 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 74 61 72 67 /1.1..Host: targ 65 74 5F 68 6F 73 74 0D 0A 41 63 63 65 70 74 2D et_host..Accept- 45 6E 63 6F 64 69 6E 67 3A 20 69 64 65 6E 74 69 Encoding: identi 74 79 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 ty..Content-Leng 74 68 3A 20 35 0D 0A 0D 0A 77 6F 72 6C 64 th: 5....world =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.028644 192.168.3.4:80 -> 192.168.196.1:52386 TCP TTL:63 TOS:0x0 ID:63207 IpLen:20 DgmLen:52 DF ***A**** Seq: 0xB652FD59 Ack: 0x43EF8DEB Win: 0x1C5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 68542 2436074 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.029210 192.168.3.4:80 -> 192.168.196.1:52386 TCP TTL:63 TOS:0x0 ID:63208 IpLen:20 DgmLen:516 DF ***AP*** Seq: 0xB652FD59 Ack: 0x43EF8DEB Win: 0x1C5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 68542 2436074 48 54 54 50 2F 31 2E 31 20 34 30 34 20 4E 6F 74 HTTP/1.1 404 Not 20 46 6F 75 6E 64 0D 0A 44 61 74 65 3A 20 57 65 Found..Date: We 64 2C 20 30 31 20 41 75 67 20 32 30 31 32 20 31 d, 01 Aug 2012 1 38 3A 32 36 3A 30 38 20 47 4D 54 0D 0A 53 65 72 8:26:08 GMT..Ser 76 65 72 3A 20 41 70 61 63 68 65 2F 32 2E 32 2E ver: Apache/2.2. 31 37 20 28 55 62 75 6E 74 75 29 0D 0A 56 61 72 17 (Ubuntu)..Var 79 3A 20 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 y: Accept-Encodi 6E 67 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 ng..Content-Leng 74 68 3A 20 32 38 30 0D 0A 43 6F 6E 74 65 6E 74 th: 280..Content 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C -Type: text/html 3B 20 63 68 61 72 73 65 74 3D 69 73 6F 2D 38 38 ; charset=iso-88 35 39 2D 31 0D 0A 0D 0A 3C 21 44 4F 43 54 59 50 59-1....<!DOCTYP 45 20 48 54 4D 4C 20 50 55 42 4C 49 43 20 22 2D E HTML PUBLIC "- 2F 2F 49 45 54 46 2F 2F 44 54 44 20 48 54 4D 4C //IETF//DTD HTML 20 32 2E 30 2F 2F 45 4E 22 3E 0A 3C 68 74 6D 6C 2.0//EN">.<html 3E 3C 68 65 61 64 3E 0A 3C 74 69 74 6C 65 3E 34 ><head>.<title>4 30 34 20 4E 6F 74 20 46 6F 75 6E 64 3C 2F 74 69 04 Not Found</ti 74 6C 65 3E 0A 3C 2F 68 65 61 64 3E 3C 62 6F 64 tle>.</head><bod 79 3E 0A 3C 68 31 3E 4E 6F 74 20 46 6F 75 6E 64 y>.<h1>Not Found 3C 2F 68 31 3E 0A 3C 70 3E 54 68 65 20 72 65 71 </h1>.<p>The req 75 65 73 74 65 64 20 55 52 4C 20 2F 68 65 6C 6C uested URL /hell 6F 20 77 61 73 20 6E 6F 74 20 66 6F 75 6E 64 20 o was not found 6F 6E 20 74 68 69 73 20 73 65 72 76 65 72 2E 3C on this server.< 2F 70 3E 0A 3C 68 72 3E 0A 3C 61 64 64 72 65 73 /p>.<hr>.<addres 73 3E 41 70 61 63 68 65 2F 32 2E 32 2E 31 37 20 s>Apache/2.2.17 28 55 62 75 6E 74 75 29 20 53 65 72 76 65 72 20 (Ubuntu) Server 61 74 20 74 61 72 67 65 74 5F 68 6F 73 74 20 50 at target_host P 6F 72 74 20 38 30 3C 2F 61 64 64 72 65 73 73 3E ort 80</address> 0A 3C 2F 62 6F 64 79 3E 3C 2F 68 74 6D 6C 3E 0A .</body></html>. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.029613 192.168.196.1:52386 -> 192.168.3.4:80 TCP TTL:62 TOS:0x0 ID:42601 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x43EF8DEB Ack: 0xB652FF29 Win: 0xF5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2436075 68542 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.031542 192.168.196.1:52386 -> 192.168.3.4:80 TCP TTL:62 TOS:0x0 ID:42602 IpLen:20 DgmLen:52 DF ***A***F Seq: 0x43EF8DEB Ack: 0xB652FF29 Win: 0xF5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 2436075 68542 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.031912 192.168.3.4:80 -> 192.168.196.1:52386 TCP TTL:63 TOS:0x0 ID:63209 IpLen:20 DgmLen:52 DF ***A***F Seq: 0xB652FF29 Ack: 0x43EF8DEC Win: 0x1C5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 68542 2436075 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/01-16:26:09.032179 192.168.196.1:52386 -> 192.168.3.4:80 TCP TTL:62 TOS:0x0 ID:42603 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x43EF8DEC Ack: 0xB652FF2A Win: 0xF5 TcpLen: 32 TCP Options (3) => NOP NOP *** Caught Int-Signal =============================================================================== Run time for packet processing was 34.5996 seconds Snort processed 10 packets. Snort ran for 0 days 0 hours 0 minutes 34 seconds Pkts/sec: 0 =============================================================================== Packet I/O Totals: Received: 10 Analyzed: 10 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 0 ( 0.000%) VLAN: 0 ( 0.000%) IP4: 10 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 10 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 10 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 10 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== Stream5 statistics: Total sessions: 1 TCP sessions: 1 UDP sessions: 0 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 1 TCP StreamTrackers Deleted: 1 TCP Timeouts: 0 TCP Overlaps: 0 TCP Segments Queued: 2 TCP Segments Released: 2 TCP Rebuilt Packets: 2 TCP Segments Used: 2 TCP Discards: 0 TCP Gaps: 0 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 Internal Events: 0 TCP Port Filter Dropped: 0 Inspected: 0 Tracked: 10 UDP Port Filter Dropped: 0 Inspected: 0 Tracked: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 1 GET methods: 0 HTTP Request Headers extracted: 1 HTTP Request Cookies extracted: 0 Post parameters extracted: 1 HTTP response Headers extracted: 0 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 4 =============================================================================== Snort exiting TS: 2436075 68542 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ --- tcpdump output (between localhost and IPS) 13:39:34.063277 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [S], seq 2374691411, win 14600, options [mss 1460,sackOK,TS val 2637340 ecr 0,nop,wscale 6], length 0 0x0000: 000c 2915 83dc 0050 56c0 0008 0800 4500 ..)....PV.....E. 0x0010: 003c d44f 4000 4006 1e16 c0a8 c401 c0a8 .<.O@.@......... 0x0020: 0304 ccc4 0050 8d8a ea53 0000 0000 a002 .....P...S...... 0x0030: 3908 4885 0000 0204 05b4 0402 080a 0028 9.H............( 0x0040: 3e1c 0000 0000 0103 0306 >......... 13:39:34.063636 IP 192.168.196.130 > 192.168.196.1: ICMP redirect 192.168.3.4 to host 192.168.196.133, length 68 0x0000: 0050 56c0 0008 000c 2915 83dc 0800 45c0 .PV.....).....E. 0x0010: 0058 19ff 0000 4001 5611 c0a8 c482 c0a8 .X....@.V....... 0x0020: c401 0501 be55 c0a8 c485 4500 003c d44f .....U....E..<.O 0x0030: 4000 3f06 1f16 c0a8 c401 c0a8 0304 ccc4 @.?............. 0x0040: 0050 8d8a ea53 0000 0000 a002 3908 436b .P...S......9.Ck 0x0050: 0000 0204 05b4 0402 080a 0028 3e1c 0000 ...........(>... 0x0060: 0000 0103 0306 ...... 13:39:34.063680 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [S], seq 2374691411, win 14600, options [mss 1460,sackOK,TS val 2637340 ecr 0,nop,wscale 6], length 0 0x0000: 000c 2907 24a4 000c 2915 83dc 0800 4500 ..).$...).....E. 0x0010: 003c d44f 4000 3f06 1f16 c0a8 c401 c0a8 .<.O@.?......... 0x0020: 0304 ccc4 0050 8d8a ea53 0000 0000 a002 .....P...S...... 0x0030: 3908 436b 0000 0204 05b4 0402 080a 0028 9.Ck...........( 0x0040: 3e1c 0000 0000 0103 0306 >......... 13:39:34.077535 IP 192.168.3.4.80 > 192.168.196.1.52420: Flags [S.], seq 2798162907, ack 2374691412, win 14480, options [mss 1460,sackOK,TS val 149049 ecr 2637340,nop,wscale 5], length 0 0x0000: 0050 56c0 0008 000c 2907 24a4 0800 4500 .PV.....).$...E. 0x0010: 003c 0000 4000 3f06 f365 c0a8 0304 c0a8 .<..@.?..e...... 0x0020: c401 0050 ccc4 a6c8 93db 8d8a ea54 a012 ...P.........T.. 0x0030: 3890 c2f3 0000 0204 05b4 0402 080a 0002 8............... 0x0040: 4639 0028 3e1c 0103 0305 F9.(>..... 13:39:34.077555 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 2637344 ecr 149049], length 0 0x0000: 000c 2915 83dc 0050 56c0 0008 0800 4500 ..)....PV.....E. 0x0010: 0034 d450 4000 4006 1e1d c0a8 c401 c0a8 .4.P@.@......... 0x0020: 0304 ccc4 0050 8d8a ea54 a6c8 93dc 8010 .....P...T...... 0x0030: 00e5 487d 0000 0101 080a 0028 3e20 0002 ..H}.......(>... 0x0040: 4639 F9 13:39:34.077643 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 2637344 ecr 149049], length 0 0x0000: 000c 2907 24a4 000c 2915 83dc 0800 4500 ..).$...).....E. 0x0010: 0034 d450 4000 3f06 1f1d c0a8 c401 c0a8 .4.P@.?......... 0x0020: 0304 ccc4 0050 8d8a ea54 a6c8 93dc 8010 .....P...T...... 0x0030: 00e5 2965 0000 0101 080a 0028 3e20 0002 ..)e.......(>... 0x0040: 4639 F9 13:39:34.077937 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [P.], seq 1:95, ack 1, win 229, options [nop,nop,TS val 2637344 ecr 149049], length 94 0x0000: 000c 2915 83dc 0050 56c0 0008 0800 4500 ..)....PV.....E. 0x0010: 0092 d451 4000 4006 1dbe c0a8 c401 c0a8 ...Q@.@......... 0x0020: 0304 ccc4 0050 8d8a ea54 a6c8 93dc 8018 .....P...T...... 0x0030: 00e5 b8f0 0000 0101 080a 0028 3e20 0002 ...........(>... 0x0040: 4639 504f 5354 202f 6865 6c6c 6f20 4854 F9POST./hello.HT 0x0050: 5450 2f31 2e31 0d0a 486f 7374 3a20 7461 TP/1.1..Host:.ta 0x0060: 7267 6574 5f68 6f73 740d 0a41 6363 6570 rget_host..Accep 0x0070: 742d 456e 636f 6469 6e67 3a20 6964 656e t-Encoding:.iden 0x0080: 7469 7479 0d0a 436f 6e74 656e 742d 4c65 tity..Content-Le 0x0090: 6e67 7468 3a20 350d 0a0d 0a77 6f72 6c64 ngth:.5....world 13:39:34.078013 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [P.], seq 1:95, ack 1, win 229, options [nop,nop,TS val 2637344 ecr 149049], length 94 0x0000: 000c 2907 24a4 000c 2915 83dc 0800 4500 ..).$...).....E. 0x0010: 0092 d451 4000 3f06 1ebe c0a8 c401 c0a8 ...Q@.?......... 0x0020: 0304 ccc4 0050 8d8a ea54 a6c8 93dc 8018 .....P...T...... 0x0030: 00e5 b8f0 0000 0101 080a 0028 3e20 0002 ...........(>... 0x0040: 4639 504f 5354 202f 6865 6c6c 6f20 4854 F9POST./hello.HT 0x0050: 5450 2f31 2e31 0d0a 486f 7374 3a20 7461 TP/1.1..Host:.ta 0x0060: 7267 6574 5f68 6f73 740d 0a41 6363 6570 rget_host..Accep 0x0070: 742d 456e 636f 6469 6e67 3a20 6964 656e t-Encoding:.iden 0x0080: 7469 7479 0d0a 436f 6e74 656e 742d 4c65 tity..Content-Le 0x0090: 6e67 7468 3a20 350d 0a0d 0a77 6f72 6c64 ngth:.5....world 13:39:34.094553 IP 192.168.3.4.80 > 192.168.196.1.52420: Flags [.], ack 95, win 453, options [nop,nop,TS val 149051 ecr 2637344], length 0 0x0000: 0050 56c0 0008 000c 2907 24a4 0800 4500 .PV.....).$...E. 0x0010: 0034 d5e7 4000 3f06 1d86 c0a8 0304 c0a8 .4..@.?......... 0x0020: c401 0050 ccc4 a6c8 93dc 8d8a eab2 8010 ...P............ 0x0030: 01c5 2825 0000 0101 080a 0002 463b 0028 ..(%........F;.( 0x0040: 3e20 >. 13:39:34.107628 IP 192.168.3.4.80 > 192.168.196.1.52420: Flags [P.], seq 1:465, ack 95, win 453, options [nop,nop,TS val 149051 ecr 2637344], length 464 0x0000: 0050 56c0 0008 000c 2907 24a4 0800 4500 .PV.....).$...E. 0x0010: 0204 d5e8 4000 3f06 1bb5 c0a8 0304 c0a8 ....@.?......... 0x0020: c401 0050 ccc4 a6c8 93dc 8d8a eab2 8018 ...P............ 0x0030: 01c5 e7a7 0000 0101 080a 0002 463b 0028 ............F;.( 0x0040: 3e20 4854 5450 2f31 2e31 2034 3034 204e >.HTTP/1.1.404.N 0x0050: 6f74 2046 6f75 6e64 0d0a 4461 7465 3a20 ot.Found..Date:. 0x0060: 5765 642c 2030 3120 4175 6720 3230 3132 Wed,.01.Aug.2012 0x0070: 2031 383a 3339 3a33 3320 474d 540d 0a53 .18:39:33.GMT..S 0x0080: 6572 7665 723a 2041 7061 6368 652f 322e erver:.Apache/2. 0x0090: 322e 3137 2028 5562 756e 7475 290d 0a56 2.17.(Ubuntu)..V 0x00a0: 6172 793a 2041 6363 6570 742d 456e 636f ary:.Accept-Enco 0x00b0: 6469 6e67 0d0a 436f 6e74 656e 742d 4c65 ding..Content-Le 0x00c0: 6e67 7468 3a20 3238 300d 0a43 6f6e 7465 ngth:.280..Conte 0x00d0: 6e74 2d54 7970 653a 2074 6578 742f 6874 nt-Type:.text/ht 0x00e0: 6d6c 3b20 6368 6172 7365 743d 6973 6f2d ml;.charset=iso- 0x00f0: 3838 3539 2d31 0d0a 0d0a 3c21 444f 4354 8859-1....<!DOCT 0x0100: 5950 4520 4854 4d4c 2050 5542 4c49 4320 YPE.HTML.PUBLIC. 0x0110: 222d 2f2f 4945 5446 2f2f 4454 4420 4854 "-//IETF//DTD.HT 0x0120: 4d4c 2032 2e30 2f2f 454e 223e 0a3c 6874 ML.2.0//EN">.<ht 0x0130: 6d6c 3e3c 6865 6164 3e0a 3c74 6974 6c65 ml><head>.<title 0x0140: 3e34 3034 204e 6f74 2046 6f75 6e64 3c2f >404.Not.Found</ 0x0150: 7469 746c 653e 0a3c 2f68 6561 643e 3c62 title>.</head><b 0x0160: 6f64 793e 0a3c 6831 3e4e 6f74 2046 6f75 ody>.<h1>Not.Fou 0x0170: 6e64 3c2f 6831 3e0a 3c70 3e54 6865 2072 nd</h1>.<p>The.r 0x0180: 6571 7565 7374 6564 2055 524c 202f 6865 equested.URL./he 0x0190: 6c6c 6f20 7761 7320 6e6f 7420 666f 756e llo.was.not.foun 0x01a0: 6420 6f6e 2074 6869 7320 7365 7276 6572 d.on.this.server 0x01b0: 2e3c 2f70 3e0a 3c68 723e 0a3c 6164 6472 .</p>.<hr>.<addr 0x01c0: 6573 733e 4170 6163 6865 2f32 2e32 2e31 ess>Apache/2.2.1 0x01d0: 3720 2855 6275 6e74 7529 2053 6572 7665 7.(Ubuntu).Serve 0x01e0: 7220 6174 2074 6172 6765 745f 686f 7374 r.at.target_host 0x01f0: 2050 6f72 7420 3830 3c2f 6164 6472 6573 .Port.80</addres 0x0200: 733e 0a3c 2f62 6f64 793e 3c2f 6874 6d6c s>.</body></html 0x0210: 3e0a >. 13:39:34.107716 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [.], ack 465, win 245, options [nop,nop,TS val 2637351 ecr 149051], length 0 0x0000: 000c 2915 83dc 0050 56c0 0008 0800 4500 ..)....PV.....E. 0x0010: 0034 d452 4000 4006 1e1b c0a8 c401 c0a8 .4.R@.@......... 0x0020: 0304 ccc4 0050 8d8a eab2 a6c8 95ac 8010 .....P.......... 0x0030: 00f5 487d 0000 0101 080a 0028 3e27 0002 ..H}.......(>'.. 0x0040: 463b F; 13:39:34.107853 IP 192.168.196.130 > 192.168.196.1: ICMP redirect 192.168.3.4 to host 192.168.196.133, length 60 0x0000: 0050 56c0 0008 000c 2915 83dc 0800 45c0 .PV.....).....E. 0x0010: 0050 1a00 0000 4001 5618 c0a8 c482 c0a8 .P....@.V....... 0x0020: c401 0501 be4d c0a8 c485 4500 0034 d452 .....M....E..4.R 0x0030: 4000 3f06 1f1b c0a8 c401 c0a8 0304 ccc4 @.?............. 0x0040: 0050 8d8a eab2 a6c8 95ac 8010 00f5 271e .P............'. 0x0050: 0000 0101 080a 0028 3e27 0002 463b .......(>'..F; 13:39:34.107883 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [.], ack 465, win 245, options [nop,nop,TS val 2637351 ecr 149051], length 0 0x0000: 000c 2907 24a4 000c 2915 83dc 0800 4500 ..).$...).....E. 0x0010: 0034 d452 4000 3f06 1f1b c0a8 c401 c0a8 .4.R@.?......... 0x0020: 0304 ccc4 0050 8d8a eab2 a6c8 95ac 8010 .....P.......... 0x0030: 00f5 271e 0000 0101 080a 0028 3e27 0002 ..'........(>'.. 0x0040: 463b F; 13:39:34.109042 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [F.], seq 95, ack 465, win 245, options [nop,nop,TS val 2637352 ecr 149051], length 0 0x0000: 000c 2915 83dc 0050 56c0 0008 0800 4500 ..)....PV.....E. 0x0010: 0034 d453 4000 4006 1e1a c0a8 c401 c0a8 .4.S@.@......... 0x0020: 0304 ccc4 0050 8d8a eab2 a6c8 95ac 8011 .....P.......... 0x0030: 00f5 487d 0000 0101 080a 0028 3e28 0002 ..H}.......(>(.. 0x0040: 463b F; 13:39:34.109193 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [F.], seq 95, ack 465, win 245, options [nop,nop,TS val 2637352 ecr 149051], length 0 0x0000: 000c 2907 24a4 000c 2915 83dc 0800 4500 ..).$...).....E. 0x0010: 0034 d453 4000 3f06 1f1a c0a8 c401 c0a8 .4.S@.?......... 0x0020: 0304 ccc4 0050 8d8a eab2 a6c8 95ac 8011 .....P.......... 0x0030: 00f5 271c 0000 0101 080a 0028 3e28 0002 ..'........(>(.. 0x0040: 463b F; 13:39:34.119488 IP 192.168.3.4.80 > 192.168.196.1.52420: Flags [F.], seq 465, ack 96, win 453, options [nop,nop,TS val 149053 ecr 2637352], length 0 0x0000: 0050 56c0 0008 000c 2907 24a4 0800 4500 .PV.....).$...E. 0x0010: 0034 d5e9 4000 3f06 1d84 c0a8 0304 c0a8 .4..@.?......... 0x0020: c401 0050 ccc4 a6c8 95ac 8d8a eab3 8011 ...P............ 0x0030: 01c5 2649 0000 0101 080a 0002 463d 0028 ..&I........F=.( 0x0040: 3e28 >( 13:39:34.119509 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [.], ack 466, win 245, options [nop,nop,TS val 2637354 ecr 149053], length 0 0x0000: 000c 2915 83dc 0050 56c0 0008 0800 4500 ..)....PV.....E. 0x0010: 0034 d454 4000 4006 1e19 c0a8 c401 c0a8 .4.T@.@......... 0x0020: 0304 ccc4 0050 8d8a eab3 a6c8 95ad 8010 .....P.......... 0x0030: 00f5 487d 0000 0101 080a 0028 3e2a 0002 ..H}.......(>*.. 0x0040: 463d F= 13:39:34.119657 IP 192.168.196.1.52420 > 192.168.3.4.80: Flags [.], ack 466, win 245, options [nop,nop,TS val 2637354 ecr 149053], length 0 0x0000: 000c 2907 24a4 000c 2915 83dc 0800 4500 ..).$...).....E. 0x0010: 0034 d454 4000 3f06 1f19 c0a8 c401 c0a8 .4.T@.?......... 0x0020: 0304 ccc4 0050 8d8a eab3 a6c8 95ad 8010 .....P.......... 0x0030: 00f5 2717 0000 0101 080a 0028 3e2a 0002 ..'........(>*.. 0x0040: 463d F= ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- "http_client_body" rule not working Shaiming Hsiung (Jul 26)
- Re: "http_client_body" rule not working rmkml (Jul 26)
- Re: "http_client_body" rule not working Shaiming Hsiung (Jul 27)
- Re: "http_client_body" rule not working rmkml (Jul 27)
- Re: "http_client_body" rule not working Shaiming Hsiung (Aug 01)
- Re: "http_client_body" rule not working Shaiming Hsiung (Jul 27)
- Re: "http_client_body" rule not working rmkml (Jul 26)