Snort mailing list archives
snort http_inspect
From: "nyarlathothep\@libero\.it" <nyarlathothep () libero it>
Date: Tue, 11 May 2004 14:15:05 +0200
Hello everyone, I have a question about the use of the Snorts preprocessors: I've installed Snort on a Linux box and I've tried from outside to do a APACHE CHUNKED ENCODE (Bugtraq ID: 5033, CVE:). Snort records in the database only the http_inspect data, so : (http_inspect) OVERSIZE CHUNK ENCODING but it dsnt activate the rules, one of those I think: web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC\: AAAAAAAAAAAAAAAAAAA"; nocase; classtype:web-application-attack; reference:bugtraq,4474; reference:cve,CAN-2002-0079;reference:bugtraq,5033; reference:cve,CAN-2002-0392; sid:1809; rev:2;) web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase; classtype:web-application-attack; reference:bugtraq,4474; reference:cve,CAN-2002-0079; reference:bugtraq,5033; reference:cve,CAN-2002-0392; sid:1807; rev:2;) web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0 50 52 89 E1 50 51 52 50 B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,CAN-2002-0392; classtype:web-application-activity; sid:1808; rev:3;) In fact I need the rules, that show me the correct ref ID (bugtraq and so on) to correlate the snort data with the VA. Could someone help me? I have to deactivate the preprocessor? Thanks , Matteo ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort http_inspect nyarlathothep () libero it (May 11)
- Re: snort http_inspect sgt_b (May 11)
- Re: snort http_inspect Jeremy Hewlett (May 11)
- Re: snort http_inspect alerts still flooding on snort 2.1.2.... Snortty (May 21)