Snort mailing list archives
Re: Content checking in Snort-2.8.3.2
From: Todd Wease <twease () sourcefire com>
Date: Wed, 28 Jan 2009 08:56:31 -0500
Hi bahamin, I get 18 alerts using this rule. Did you remember to modify your stream5 configuration to do server side reassembly? Again, take a look at README.stream5. To use a ';' in a content, use it's ascii hex representation, e.g. content:"|3b|"; Todd bahamin takhtaei wrote:
Dear Todd,
Thanks for your attention. You're right!
I add "flow_depth 0" to snort.conf and see the alerts. (Although I
haven't this problem
in Snort-2.7.0 already).
Then I add this rule to local.rules:
alert tcp any any -> any any (sid:10001009; msg:"http-only-stream2";
flow:only_stream; content:"|68 3a 20 34 37 25 3b 0a 09 09 09 09 70 61
64 64 69 6e 67 2d 72 69 67 68 74 3a 20 33 25 3b 0a 09 09 09 09 66|";)
that its content divides in packet 73 and 74, but it's not triggered.
Why Stream5 can't find that content (as you said)?
(and Are you know how can I add a string content that contains ";"
character to a rule?)
Regards,
Bahamin
--- On *Tue, 1/27/09, Todd Wease /<twease () sourcefire com>/* wrote:
From: Todd Wease <twease () sourcefire com>
Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2
To: "bahamin takhtaei" <b_takhtaei () yahoo com>
Cc: "Leon Ward" <seclists () rm-rf co uk>,
snort-users () lists sourceforge net
Date: Tuesday, January 27, 2009, 9:22 AM
Hi bahamin,
With the config you provided, I am able to get the following rules to alert:
alert tcp any any -> any any (sid:10001003; msg:"http-th";
content:"th";
nocase;)
alert tcp any any -> any any (sid:10001006; msg:"http-bin2";
content:"|20 61|"; nocase;)
With Joel's suggestion of adding "flow_depth 0" to the
"http_inspect_server" configuration, in addition, I get these rules
to
alert:
alert tcp any any -> any any (sid:10001002;
msg:"http-established";
flow:from_server, established; content:"web";)
alert tcp any any -> any any
(sid:10001004; msg:"http-the";
content:"the"; nocase;)
alert tcp any any -> any any (sid:10001005; msg:"http-bin";
content:
"|20 61 6e 64 20 64 69 72|"; nocase;)
Please read README.http_inspect for an explanation of the
"flow_depth"
option.
The following rule doesn't alert because there is no ICMP traffic in the
pcap:
alert icmp any any -> any any (sid:10001007; msg:"icmp-cont-test";
content:"abcdefgh";)
Now for the more complicated case:
alert tcp any any -> any any (sid:10001001;
msg:"http-only-stream";
content:"directed to the website";)
First of all, Snort, by default, does not do reassembly of server
traffic. See README.stream5 for reassembly options. At any rate, even
with doing server side reassembly, this alert will not fire. Note that
stream5 is a post-ack model which means it doesn't do reassembly until
it gets an ACK from the other side of
the conversation and only
reassembles data that has been ACKed, i.e. data it is sure the other
side has received and accepted.
This content is split up between packets 74 and 75. After receiving
packet 75, Snort will have queued packets 73, 74 and 75 for reassembly.
Packet 76 is an ACK from the client which tells stream5 to reassemble
whatever it has queued for the server. The problem is that the client
only ACKs up through packet 74, so stream5 only reassembles packets 73
and 74. The client then ACKs packet 75, so stream5 sends that through.
Todd
bahamin takhtaei wrote:
> Hi,
> I attach a dumpFile.pcap to this email. I attach snort.conf and
> local.rules, too.
>
> Thank you,
> Bahamin
>
> --- On *Tue, 1/27/09, Leon Ward /<seclists () rm-rf co uk>/* wrote:
>
> From: Leon Ward <seclists () rm-rf co uk>
> Subject:
Re: [Snort-users] Content checking in Snort-2.8.3.2
> To: b_takhtaei () yahoo com
> Date: Tuesday, January 27, 2009, 3:35 AM
>
> Run the test again, but at the same time have tcpdump sniffing the
> interface.
> A simple ...
>
> tcpdump -ni <DEVICE> -s0 -w /tmp/filename.pcap
>
> ... Will do the trick.
>
> Mail the pcap over, it will be easier to read that than make
> random guesses about what could be happening.
>
> -Leon
>
> On 27 Jan 2009, at 07:19, bahamin takhtaei wrote:
>
>>
>> Hi Leon,
>> Thanks for your attention. I run Snort in Inline mode and using
>> IP_QUEUE.
>> I add these rules to iptables:
>>
>> iptables -A INPUT -p tcp --dport 80 -j QUEUE
>> iptables -A OUTPUT -p tcp --sport 80 -j
QUEUE
>>
>> and It seems that the traffic arrives to Snort correctly.
>>
>> (Notice: I add an ICMP rule to local.rules:
>> alert icmp any any -> any any (sid:100010010;
>> msg:"icmp-cont-test"; content:"abcdefgh";)
>> and check it by sending ping request to Snort-machine: It's
>> triggerd, so I think my Snort
>> has a problem by tcp traffic?!)
>>
>>
>> --- On *Mon, 1/26/09, Leon Ward /<seclists () rm-rf co uk
>> <mailto:seclists () rm-rf co uk>>/* wrote:
>>
>> From: Leon Ward <seclists () rm-rf co uk
>> <mailto:seclists () rm-rf co uk>>
>> Subject: Re: [Snort-users] Content checking in Snort-2.8.3.2
>> To: b_takhtaei () yahoo com <mailto:b_takhtaei () yahoo com>
>> Cc: "snort"
<snort-users () lists sourceforge net
>> <mailto:snort-users () lists sourceforge net>>
>> Date: Monday, January 26, 2009, 4:25 AM
>>
>> Hello
>>
>> On 25 Jan 2009, at 14:25, bahamin takhtaei wrote:
>>
>>> Hi,
>>> I install Snort-2.8.3.2 and check some content-rules, but
>>> Snort can't match any content
>>> with "content-length > 2" !
>>>
>>
>> Snort can match more than that, So lets change the question
>> slightly.
>> What are you trying to match? Got a pcap?
>>
>> -Leon
>>
>>>
>>> for example:
>>>
>>> I add these rules to local.rules:
>>> 1. alert tcp any any -> any any
(sid:10001001;
>>> msg:"http-th"; content:"th"; nocase;)
>>> 2. alert tcp any any -> any any (sid:10001002;
>>> msg:"http-the"; content:"the";
nocase;)
>>> 3. alert tcp any any -> any any (sid:10001003;
>>> msg:"http-hex"; content: "|20 61 6e 64 20
64 69 72|"; nocase;)
>>> 4. alert tcp any any -> any any (sid:10001004;
>>> msg:"http-hex2"; content:"|20 61|";
nocase;)
>>>
-----------------------------------------------------------------------
>>>
>>> then send a http-traffic to Snort-machine that contains
many
>>> "the" pattern, but only rule1 and rule4 are
triggerd. Why
>>> please?
>>>
>>> Notice: my snort.conf is a sample config file that there
is
>>>
on snort.org.
>>>
>>>
>>>
------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> SourcForge Community
>>> SourceForge wants to tell your story.
>>>
http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
>>> Snort-users mailing list
>>> Snort-users () lists sourceforge net
>>> <mailto:Snort-users () lists sourceforge net>
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>
>
>
------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 25)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Joel Esler (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Matt Watchinski (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 26)
- Re: Content checking in Snort-2.8.3.2 Leon Ward (Jan 26)
- <Possible follow-ups>
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 27)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)
- Re: Content checking in Snort-2.8.3.2 bahamin takhtaei (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 28)
- Re: Content checking in Snort-2.8.3.2 Todd Wease (Jan 27)