Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: preprocessor http_inspect_server destroying traffic

From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 14 Jul 2005 15:06:58 -0500
I think Matt has answered this question man times now....

If you looking for things deep into the server response you'll have to
change the configuration for http_inspect.  By default http_inspect only
passes the first 300 bytes of server response traffic to the detection
engine.

Try adding "flow_depth 0" to you http_inspect configuration and see if
that fixes your problem.


On 7/1/05, snort guy <snort-guy () hotmail com> wrote:

I am having some trouble with the http_inspect preprocessor using the
default settings from snort.conf. It it my opinion that this preprocessor is
possibly destoying valid traffic.
I am using Snort v2.3.3

(I have removed the comments and default variables for readability)
:::snort.conf:::
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80 8080
8081 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor xlink2state: ports { 25 691 }
include classification.config
include reference.config
config flowbits_size: 256

alert tcp any any -> any any (msg:"traffic"; content:"highlight";)
:::end snort.conf:::

I set up a server with netcat using:
server# nc -l -p 8080

Then I connect to the server
client$ nc server 8080

Snort is able to see the 3-way handshake occur.
At this point I use the server to send the message "highlight" from the
server to the client.

Running snort with the -vde option I see the traffic go by as:
68 69 67 68 6C 69 67 68 74 0A highlight.

Using the simple rule listed in my snort.conf
alert tcp any any -> any any (msg:"traffic"; content:"highlight";)

I expect to get an alert based on this traffic. No packets were dropped, all
packets were processed, no alert is generated.

Commenting out the preprocessor http_inspect_server causes the alert to be
correctly generated.

Additionally, sending the "highlight" message from the client to the server
generates the alert correctly, the only problem is that sending it from the
server to the client doesn't.

I tested this same methodology with the string "cat" instead of "highlight"
and the problem does not occur.

alert tcp any any -> any any (msg:"cat alerts"; content:"cat";)

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: