Snort mailing list archives

http rule is not always triggering

From: "Sven Wurth" <swurth () astaro com>
Date: Tue, 16 Feb 2010 01:56:58 -0800

Hi Snort-Sigs,

I saw a strange problem with a http rule, which is not triggering
always.
If I take a rule like this:

drop $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"foobar";
flow:established,to_server; uricontent:"insert"; nocase;
pcre:"/insert[^\n]*into/Ui"; metadata:policy security-ips drop, service
http; classtype:web-application-attack; sid:666666;)

go to google.com and search for "insert into", an alert will logged and
the packet gets dropped.
The search takes a really long time and normally I get an timeout, but
sometimes retransmitted packets came through snort and google shows up
the search results.
That's a failure, these packets should never pass snort.

I done a tcpdump on the outer snort interface, if I let snort read these
pcaps the attack will be recognized. But why not in always in the inline
mode?

(snort 2.8.5.2 in inline mode)

Please help me, I have no idea how to debug this...

Best 
Sven 


 




------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

SO rules vs regular rules Mike Cox (Jan 14)
- Re: SO rules vs regular rules Mike Cox (Feb 01)
  - Re: SO rules vs regular rules Joel Esler (Feb 01)
- Re: SO rules vs regular rules Brian Caswell (Feb 01)
  - Re: SO rules vs regular rules Patrick Mullen (Feb 03)
    - Re: SO rules vs regular rules Mike Cox (Feb 03)
  - http rule is not always triggering Sven Wurth (Feb 16)
    - Re: http rule is not always triggering JJ Cummings (Feb 16)
    - Re: http rule is not always triggering Sven Wurth (Feb 17)