Snort mailing list archives
Re: HTTP-Inspect / Stream4 Reassembly question
From: Daniel Purcell <dpurcell () nitrosecurity com>
Date: Tue, 31 May 2005 15:15:43 -0600
I found the message you were referring to in the snort-devel archives on the 19th of May. I added "flow_depth 0" to my http_inspect configuration and now my sig works. Thanks!
-Dan Will Metcalf wrote:
I think Matt from Sourcefire answered a similar question about a week ago. I don't think stream4 reassembly really has much to do with this sig not firing as eicar.com should fit into a single packet despite any overly long http header crap. Check out Matt's response below. Regards, WillIf you looking for things deep into the server response you'll have to change the configuration for http_inspect. By default http_inspect only passes the first 300 bytes of server response traffic to the detection engine.Try adding "flow_depth 0" to you http_inspect configuration and see if that fixes your problem.On 5/31/05, Daniel Purcell <dpurcell () nitrosecurity com> wrote:List users, For some reason, my snort rule is not detecting a simple signature. The EICAR virus is a simple, sample virus that can be used to detect whether or not a virus-detection engine is working or not. It is 68 bytes long. It is in fact an executable (an MS-DOS .com file) that is also entirely printable ASCII characters (all 68 bytes). You can see it here: http://www.eicar.org/anti_virus_test_file.htm I have a rule in the database to detect it. It is really simple (almost overly so). Here it is: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EICAR test virus"; content:"X5O!P%@AP[4|5c|PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"; classtype:not-suspicious; reference:url,www.eicar.org/anti_virus_test_file.htm; rev:1;) It is just a rule with one content. I can't get it to detect with my 2.3.x or 2.2.x copy of snort when I go to the above web site. I have found a way, however, to force it to detect it, but it is pretty bad - I have to turn off _BOTH_ the Stream-4-Reassembly, _AND_ turn off the HTTP_INSPECT preprocessors. Then, it will detect it every time. Otherwise, it will never detect it. And, it is not just that. I can't even detect, for example, the "X5" from the front of the string, or the "EICAR" from the middle of the string without turning those off. Does the content: tag do some mangling of the packet before it inspects it? I thought that's what uricontent did... -Daniel - -- Dyslexics have more fnu. ------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=fad-ysdn-ostg-q22005 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HTTP-Inspect / Stream4 Reassembly question Daniel Purcell (May 31)
- Re: HTTP-Inspect / Stream4 Reassembly question Will Metcalf (May 31)
- Re: HTTP-Inspect / Stream4 Reassembly question Daniel Purcell (May 31)
- Re: HTTP-Inspect / Stream4 Reassembly question Will Metcalf (May 31)