Snort mailing list archives

snort http_inspect

From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it>
Date: Tue, 11 May 2004 14:15:05 +0200

Hello everyone,
I have a question about the use of the Snorts preprocessors:
I've installed Snort on  a Linux box and I've tried from outside to do a APACHE
CHUNKED ENCODE (Bugtraq ID: 5033, CVE:).
Snort records in the database only the http_inspect data, so :  (http_inspect)
OVERSIZE CHUNK ENCODING
but it dsnt activate the rules, one of those I think:

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC Apache Chunked-Encoding worm attempt";
flow:to_server,established; content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079;reference:bugtraq,5033; reference:cve,CAN-2002-0392;
sid:1809; rev:2;)

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established;
content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase;
classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079; reference:bugtraq,5033;
reference:cve,CAN-2002-0392; sid:1807; rev:2;)

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt";
flow:established,to_server; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B 00 00 00
CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392;
classtype:web-application-activity; sid:1808; rev:3;)


In fact I need the rules, that show me the correct ref ID (bugtraq and so on) to
correlate the snort data with the VA.

Could someone help me? I have to deactivate the preprocessor?

Thanks ,

Matteo




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort http_inspect nyarlathothep () libero it (May 11)
- Re: snort http_inspect sgt_b (May 11)
- Re: snort http_inspect Jeremy Hewlett (May 11)
  - Re: snort http_inspect alerts still flooding on snort 2.1.2.... Snortty (May 21)